TRAINING COURSE SERIES No. 15 Regulatory control of nuclear power plants Part A (Textbook) INTERNATIONAL ATOMIC ENERGY AGENCY, VIENNA, 2002 The originating Section of this publication in the IAEA was: Safety Co-ordination Section International Atomic Energy Agency Wagramer Strasse 5 P.O. Box 100 A-1400 Vienna, Austria REGULATORY CONTROL OF NUCLEAR POWER PLANTS PART A (TEXTBOOK) IAEA, VIENNA, 2002 IAEA–TCS–15 ISSN 1018–5518 © IAEA, 2002 Printed by the IAEA in Austria September 2002 FOREWORD The purpose of this book is to support IAEA training courses and workshops in the field of regulatory control of nuclear power plants as well as to support the regulatory bodies of Member States in their own training activities. The target group is the professional staff members of nuclear safety regulatory bodies supervising nuclear power plants and having duties and responsibilities in the following regulatory fields: regulatory framework; regulatory organization; regulatory guidance; licensing and licensing documents; assessment of safety; and regulatory inspection and enforcement. Important topics such as regulatory competence and quality of regulatory work as well as emergency preparedness and public communication are also covered. The book also presents the key issues of nuclear safety such as ‘defence-in-depth’ and safety culture and explains how these should be taken into account in regulatory work, e.g. during safety assessment and regulatory inspection. The book also reflects how nuclear safety has been developed during the years on the basis of operating experience feedback and results of safety research by giving topical examples. The examples cover development of operating procedures and accident management to cope with complicated incidents and severe accidents to stress the importance of regulatory role in nuclear safety research. The main target group is new staff members of regulatory bodies, but the book also offers good examples for more experienced inspectors to be used as comparison and discussion basis in internal workshops organized by the regulatory bodies for refreshing and continuing training. The book was originally compiled on the basis of presentations provided during the two regulatory control training courses in 1997 and 1998. The written presentations were collected from the lecturers and compiled before and during the consultants meeting from 16– 20 November 1998 in Vienna, where final compilation was done. The textbook was reviewed at the beginning of the years 2000 and 2002 by IAEA staff members and consistency with the latest revisions of safety standards have been ensured. The textbook was completed in the consultants meeting at the end of 2001 by adding updates on the Nuclear Safety Convention and US regulatory practices. The main purpose of the book is to provide written background material to the participants and to support lecturers of the training courses on Regulatory Control of Nuclear Power Plants. The idea is to present general practices recommended by the IAEA in its safety guidance as well as country specific examples of how these general principles and requirements have been implemented in various countries. Lecturers can provide detailed information concerning their own countries and organizations but it is often difficult for them to provide as detailed knowledge on other countries and organizations. Therefore different examples are valuable for comparison. The examples selected are representative, showing existing and functional practices, and also provide a good selection of different practices adopted by different regulatory organizations. They reflect practices in large and small countries and regulatory bodies. They do not follow any particular regulatory practice but try to offer several alternatives to be useful for many inspectors coming from different types of organizations. The textbook has been compiled from the presentations provided during the training courses on Regulatory Control of Nuclear Power Plants from 1997 to 2001. The written presentations were collected from the lecturers and compiled before and during the consultants meetings held 16–20 November 1998 and 1–5 October 2001 in Vienna by K. Burkart, Germany, J. Libmann, France, C. Stoiber, United States of America. The IAEA officer responsible for the publication was I. Aro of the Department of Nuclear Safety. Ongoing responsibility lies with L. Lederman of the Division of Nuclear Installation Safety. The course was organized eight times in Europe: in Slovakia, Finland, the Czech Republic, Germany (four times) and the United Kingdom in 1994–2001 and two times in Asia: in Indonesia and in the Republic of Korea. Some of the lecturers have participated in several courses and are also the main contributors to the written text parts. Also several German lecturers have contributed in various regulatory fields providing German examples. The Gesellschaft für Anlagen und Reaktorsicherheit (GRS)mbH, Germany, Health and Safety Executive, United Kingdom, Institute for Protection and Nuclear Safety (IPSN), France, and Radiation and Nuclear Safety Authority (STUK), Finland, and the US Nuclear Regulatory Commission provided material support in the form of examples. EDITORIAL NOTE The use of particular designations of countries or territories does not imply any judgement by the publisher, the IAEA, as to the legal status of such countries or territories, of their authorities and institutions or of the delimitation of their boundaries. The mention of names of specific companies or products (whether or not indicated as registered) does not imply any intention to infringe proprietary rights, nor should it be construed as an endorsement or recommendation on the part of the IAEA. CONTENTS 1. LEGISLATIVE AND REGULATORY FRAMEWORK ................................................. 1 1.1. 1.2. 1.3. 1.4. 2. IAEA approach to nuclear safety............................................................................. 1 1.1.1. Historical development ............................................................................. 1 1.1.2. IAEA Nuclear Safety Requirements and Guides ...................................... 2 1.1.3. IAEA requirements for the governmental level and for the operator........ 6 1.1.4. IAEA Requirements for nuclear safety legislation ................................... 6 1.1.5. Safety objectives and safety criteria for nuclear power plants .................. 7 International safety related conventions ................................................................ 12 1.2.1. Convention on Nuclear Safety ................................................................ 12 1.2.2. Other international nuclear safety related conventions ........................... 24 National regulatory framework ............................................................................. 27 1.3.1. The state, its structures and its duties...................................................... 27 1.3.2. Responsibilities of the four main organizations...................................... 29 1.3.3. Nuclear safety legislation ........................................................................ 31 1.3.4. National and international institutions for matters of standardization ....................................................................... 33 1.3.5. Types of regulatory guidance .................................................................. 34 1.3.6. Safety criteria for nuclear power plants................................................... 35 Illustration through national examples .................................................................. 37 1.4.1. Finland..................................................................................................... 37 1.4.2. Germany .................................................................................................. 40 1.4.3. United Kingdom...................................................................................... 48 1.4.4. Governmental organization for nuclear safety in the USA ..................... 49 REGULATORY BODY .................................................................................................. 54 2.1. 2.2. 2.3. 2.4. 2.5. Regulatory independence ...................................................................................... 54 Organization and functions of regulatory body ..................................................... 56 2.2.1. IAEA guidance for regulatory organization ............................................ 56 2.2.2. Examples of regulatory organizations ..................................................... 60 Licensing of a nuclear power plant........................................................................ 76 2.3.1. IAEA approach to licensing .................................................................... 76 2.3.2. Examples of licensing practices .............................................................. 77 Quality assurance, performance reviews and self-assessment in the regulatory body...................................................................................................... 90 2.4.1. Quality assurance .................................................................................... 90 2.4.2. Performance reviews — IAEA IRRT services........................................ 92 2.4.3. Quality assurance and self-assessment in the regulatory body — an example .............................................................................................. 93 Professionalism and training of regulatory body staff........................................... 96 2.5.1. Regulatory role and duties....................................................................... 98 2.5.2. Rights ...................................................................................................... 98 2.5.3. Obligations .............................................................................................. 99 2.5.4. Responsibilities ....................................................................................... 99 2.5.5. Relationships with the power company................................................. 100 2.5.6. Professional behaviour .......................................................................... 100 2.5.7. Inspection/auditing techniques .............................................................. 100 2.5.8. Inspection philosophy............................................................................ 101 2.5.9. Maintaining competence ....................................................................... 102 2.5.10. Training of inspectors............................................................................ 102 3. ASSESSMENT OF SAFETY........................................................................................ 103 3.1. 3.2. 4. INSPECTION AND ENFORCEMENT BY THE REGULATORY BODY ................ 155 4.1. 4.2. 5. IAEA guidance for regulatory review and assessment ........................................ 103 3.1.1. Safety objectives and safety requirements for review and assessment .......................................................................... 105 3.1.2. Areas for review and assessment........................................................... 106 3.1.3. Review and assessment methodology ................................................... 108 3.1.4. Quality assurance in the review and assessment process ...................... 115 3.1.5. Topics to be covered by regulatory review and assessment .................. 115 Country specific approaches and experience....................................................... 119 3.2.1. Deterministic safety approach — French experience............................ 119 3.2.2. Assessment of modifications — German and Finnish experience........ 133 3.2.3. Assessment of operational experience — French experience .............. 136 3.2.4. Periodic safety review, reassessment for renewing the operating licence — French experience ................................................ 148 IAEA guidance on inspection and enforcement .................................................. 155 4.1.1. Regulatory inspection programme ........................................................ 157 4.1.2. Inspection areas ..................................................................................... 159 4.1.3. Implementation of an inspection programme........................................ 159 4.1.4. Enforcement actions.............................................................................. 165 Examples of specific inspections ........................................................................ 167 4.2.1. Regulatory inspection in Finland .......................................................... 167 4.2.2. Examples of specific inspections — German practices ........................ 179 4.2.3. Inspection practices in the United Kingdom ......................................... 199 DOCUMENTATION .................................................................................................... 213 5.1. IAEA guidance for documents generated by the operator and the regulatory body within an authorization process................................................. 213 5.1.1. Documents produced by the operator.................................................... 213 5.1.2. Documents produced by the regulatory body for a specific facility ...................................................................................... 217 5.2. Country specific approaches and examples ............................................................ 223 5.2.1. Use of licensing and commissioning documents in Finland ................ 223 5.2.2. Structure and content of the QA manual (Germany)............................. 230 5.2.3. Use of the licensing documents and updating procedures .................... 234 6. DEVELOPING SAFETY .............................................................................................. 238 6.1. The role of the regulator in the development of safety culture............................ 238 6.1.1. Stage of safety culture — safety is solely based on rules and regulations.............................................................................. 239 6.1.2. Stage of safety culture — good safety performance is an organizational goal ................................................................................ 240 6.1.3. 6.2. 6.3. 7. EMERGENCY ARRANGEMENTS............................................................................. 278 7.1. 7.2. 7.3. 7.4. 7.5. 7.6. 7.7. 7.8. 7.9. 7.10. 7.11. 8. Stage of safety culture — safety performance can always be improved............................................................................... 240 6.1.4. General practices to develop organizational effectiveness.................... 242 The role of assessment in the development of safety culture .............................. 246 6.2.l. How to measure safety culture .............................................................. 246 6.2.2. Organizational issues............................................................................. 248 6.2.3. Regulatory issues................................................................................... 250 6.2.4. Employee issues .................................................................................... 253 6.2.5. Plant conditions and trending................................................................ 256 Illustration through national examples ................................................................ 256 6.3.1. Risk-informed, performance-based regulation in the USA................... 256 6.3.2. German safety culture experiences........................................................ 262 6.3.3. Interface of regulator and operator — Finnish experience.................... 269 Warning of the emergency management authorities ........................................... 278 Response of the emergency management authority ............................................ 280 Assessment .......................................................................................................... 281 Monitoring and measurements ............................................................................ 282 Intervention.......................................................................................................... 283 Plans, resources, work sheets, guidance.............................................................. 284 Communication with the media and the public................................................... 285 Decision support systems .................................................................................... 286 Protection of emergency workers ........................................................................ 286 Training and exercises......................................................................................... 287 Co-operation with neighbouring States ............................................................... 288 COMMUNICATION WITH THE PUBLIC.................................................................. 288 8.1. 8.2. General information ............................................................................................ 288 8.1.1. Role of the regulatory authority ............................................................ 288 8.1.2. Fundamentals of nuclear communications ............................................ 290 Country specific approaches and experience....................................................... 292 8.2.1. Establishing a public information policy in Finland ............................. 292 8.2.2. Criteria for reporting operating events .................................................. 293 8.2.3. STUK’s quarterly reports on the operation of nuclear power plants..... 294 8.2.4. Technical tools to offer prompt information ......................................... 295 8.2.5. Communication is intensified during an incident ................................. 295 8.2.6. The INES classification is a useful tool in informing the public .......... 297 8.2.7. Observations about crisis communication............................................. 298 APPENDICES Appendix I: Examples of evolution of an operation manual — Operating procedures ................................................................................. 301 Appendix II: Complementary operating conditions ........................................................ 307 Appendix III: Preparation for the management of severe accidents ................................. 316 Appendix IV: List of the IAEA safety requirements and guides ..................................... 334 Appendix V: List of Finnish YVL guides........................................................................ 338 Appendix VI: IAEA International Nuclear Events Scale (INES) ..................................... 341 Appendix VII: Regulatory control of nuclear power plants — Syllabus and example course programme (Karlsruhe, 2000) .................... 347 REFERENCES....................................................................................................................... 351 CONTRIBUTORS TO DRAFTING AND REVIEW............................................................ 353 1. LEGISLATIVE AND REGULATORY FRAMEWORK 1.1. IAEA APPROACH TO NUCLEAR SAFETY 1.1.1. Historical development From the very beginning of research and industrial development towards peaceful use of nuclear energy, safety was an important concern and “prevention” was also identified as an important and effective safety factor. Considering the history of industrial development, this is one of the first instances, if not the first example, where those in charge of research, development and industrial realisation were aware not only of the dangers associated with implementation of the new energy source but also the need to consider safety as a condition for further realisation. The importance of nuclear safety has been recognised since the early phase of nuclear power plant development. After about a quarter of a century of independent national development of nuclear reactors in a few countries (1950–1975), the need and usefulness of considering the “new” technology at the international level was felt and has lead to corresponding actions. The following illustrates the development: The strong need of international co-operation resulted in the creation of the IAEA in 1956. The objectives and functions of the IAEA are presented in the Statute of the IAEA. The Article II presents the essence: “The Agency shall seek to accelerate and enlarge the contribution of atomic energy to peace, health and prosperity throughout the world. It shall ensure, so far as it is able, that assistance provided by it or at its request or under its supervision or control is not used in such a way as to further any military purpose.” The Article III lists main functions of the IAEA including “fostering the exchange of scientific and technical information”, “encouraging the exchange and training of scientists and experts” and “establishing standards of safety for protection of health and minimization of danger to life and property, and providing for the application of these standards to its own operations as well as to operations making use of IAEA materials, services and information”. The start, in 1974, of the IAEA NUSS Programme [1] for nuclear power plants followed, after 10 years of good international co-operation, by the publication of 5 codes of practice and about 60 safety guides in the IAEA Safety Series. On the basis of experience and new developments, at both the technological and the “philosophical” level, revision of these documents has been decided and began at the end of 1980s. This work is still going on to have a complete revised set of nuclear Safety Standards including Safety Fundamentals, Requirements and Guides. In 2000, new revised Requirements were published [2–6]. During the last 10 to 15 years, time and effort have been invested in further international co-operative thinking and discussion on nuclear safety. Results and conclusions have been and continue to be published by several international organizations, especially by IAEA in its Safety Series. International nuclear safety advisory group (INSAG) has produced useful basic philosophical reports such as expression of the basic safety principles which are reflected in the IAEA Safety Fundamentals [7, 8] and development of concepts e.g. defence in depth [9] and safety culture [10]. 1 In addition to the safety of nuclear power plants, other safety areas are being considered. The management of radioactive waste and the transport of nuclear materials are among the most important of these areas. The future role of nuclear energy depends on a consistent, demonstrated record of safety in all applications. Although IAEA is not an international Regulatory Body, its nuclear safety efforts are directed towards creating multilateral, legally binding agreements, which are increasingly important mechanism for improving nuclear safety, radiation safety and waste safety around the world. This is done by means of International Conventions (e.g. nuclear safety, civil liability, early notification of nuclear accidents and radiological emergencies, mutual assistance in case of nuclear accidents and radiological emergencies, radioactive waste management, physical protection [11–14]). International conventions are binding legal instruments for the countries that sign and ratify them. The Convention on Nuclear Safety (for nuclear power plants) has been put into force on October 24, 1996, and is presently in the phase of implementation [11, 14]. A “sister” Convention on the safety of radioactive waste management has been put into force on 18 June 2001 [13]. 1.1.2. IAEA Nuclear Safety Requirements and Guides [1] 1.1.2.1. Development of IAEA Requirements and Guides The development of nuclear and radiation safety Standards is a statutory function of the IAEA, which is unique in the United Nations system. The IAEA Statute expressly authorizes the Agency “to establish standards of safety” and “to provide for the application of these standards”. Over the years, more than 200 safety standards have been published in the IAEA´s Safety Series of publications: x The Nuclear Safety Standards (NUSS); x The International Basic Safety Standards for Protection Against Ionising Radiation and for the Safety of Radiation Sources (the Basic Safety Standards), with supporting documents; x The Radioactive Waste Safety Standards (RADWASS); and x The Regulations for the Safe Transport of Radioactive Material. In 1996, a new uniform preparation and review process was introduced, covering all areas in which the IAEA establishes safety standards. As a consequence, the IAEA´s Safety Series was being replaced by two new series of safety-related publications, namely: x The Safety Standards Series; x The Safety Reports Series. The purpose is to separate those IAEA Safety Standards publications which spell out safety objectives, concepts, principles, requirements and guidance — as a basis for national regulations, or as an indication of how various safety requirements may be met — from those publications which are issued for the purpose of fostering information exchange in safety. The publications in the Safety Standards Series will be issued pursuant to the IAEA´s statutory function to establish safety standards. The publications in the Safety Reports Series 2 will be issued for the purpose of providing information on ways of ensuring safety (essentially, they will replace the IAEA´s safety practices documents and other publications). The change took effect in 1996, with the publication in the safety standards series of the latest edition of the regulations for the safe transport of radioactive material As Safety Standards Series No. ST-1. The Safety Standards Series comprises the following levels of documents: x Safety Fundamentals. x Safety Requirements. x Safety Guides. The series cover nuclear safety, radiation safety, waste safety, and transport safety. It also covers general topics (such as governmental organization, quality assurance, and emergency preparedness) relevant to all four of those fields that will be dealt with in a separate category of general safety documents. The Safety Fundamentals Documents are the policy documents of the IAEA Safety Standards series. They state the basic objectives, concepts and principles involved in ensuring protection and safety in the development and application of atomic energy for peaceful purposes. They state — without providing technical details and, as a rule, without going into the application of principles — the rationale for actions necessary in meeting safety requirements. There are currently three Safety Fundamentals Documents: for nuclear safety, radiation safety and waste safety. The IAEA has started actions to combine these documents into one Safety Fundamentals document that then covers all these areas. The Safety Requirements deal with the basic requirements that must be met in order to ensure the safety of particular activities. These requirements are governed by the basic objectives, concepts and principles presented in the safety fundamentals documents. The written style (with “shall” statements) is that of regulatory documents so that States may adopt the Safety Requirements at their own discretion, as national regulations. Earlier these safety requirements documents were called as Codes [5, 6]. The Safety Guides documents contain recommendations (with “should” statements), based on international experience, regarding measures to ensure that the safety requirements are met. But unless alternative equivalent measures are implemented, the “should” statements become “shall” requirements. IAEA Safety Standards have been developed on the basis of international consensus and as such they reflect very widely accepted safety levels. During the development or revision of a safety standard all member states have the possibility to present their comments on the welldeveloped draft document, and these comments are taken into account in the final draft that is sent to NUSSC and CSS for approval. Final approval to take the safety standard into use is given either by the Director General or Board of Governors depending on the level of the safety standard. IAEA Safety Standards present some kind of minimum internationally acceptable level. As such they do not necessarily reflect current requirement level in a specific country. In some countries, the requirement level for certain issues may be higher for various reasons, e.g. because of density of population. Each country should define its own acceptable 3 Atomic La w IAEA Sa fety Stand a rd s Series IAEA Sa fety Rep orts Series Dec ree Fund a menta ls Reg ula tion Req uirements Reg ulatory Guid es Sa fety Guid es Ind ustria l Sta nd a rd s FIG. 1. The hierarchy of legal and regulatory documents and their comparison with the IAEA Safety Standards. safety level on the basis of local conditions and governmental practices. In this work the IAEA Safety Standards are useful because they show key issues and present possible acceptable solutions. If there are large deviations compared to the internationally agreed safety level, special consideration should be given to these issues. Figure 1 relates the IAEA Safety Standards to national nuclear law, regulations and regulatory guides. The list of IAEA Safety Standards in the field of nuclear facilities is presented in Appendix IV. The current status of the standards development is presented on the IAEA Internet site: www.iaea.org/ns/coordinet. The most recent standards are also available through Internet from the site: www.iaea.org/Worldatom/Books/Featured Series/index.shtml, where the actual standards can be read and printed in pdf format. In addition to the IAEA Safety Fundamentals, Safety Requirements and Guides there is also an international agreement, the Convention on Nuclear Safety (Vienna, 1994). This agreement is signed and ratified by the governments of participating countries and with the ratification the countries bind themselves to fulfil the requirement level presented in the convention. The level defined by the Convention on Nuclear Safety is very similar to what is defined by the IAEA Safety Fundamentals. It is important to note that the IAEA Safety Standards are not binding documents in the member states. In accordance with the importance of safety IAEA provided for a Commission of Safety Standards (CSS) as a standing body of senior government officials holding national responsibilities for establishing standards and other regulatory documents relevant to nuclear, radiation, waste and transport safety. It has a special overview role with regard to the IAEA’s Safety Standards and provides advice to the Director General on the overall programme related to safety standards. Figure 2 shows an organization chart of the CSS’s committees inside the IAEA. 4 FIG. 2. The committees for IAEA Safety Standards. 1.1.2.2. Safety requirements The IAEA has set up the Safety Requirements (earlier Codes), providing a good basis for the safety of nuclear power plants. Today also the principles recommended by the INSAG are followed by member states. They include the basic safety principles for NPP, which have greatly influenced the development of the safety requirements. In the following a brief outline of the safety requirements are given (see also Appendix IV): Governmental organization: The requirements deal with establishing a Regulatory Body, covers aspects related to the radiological safety of the general public and site personnel and gives general requirements for organization of the Regulatory Body, the role and responsibilities of the Regulatory Body, the basic requirements imposed on an applicant, the licensing process and licensing decisions, and inspection and enforcement by the Regulatory Body [2]. Design: The requirements give the basic safety requirements that must be incorporated in the concept and in the detailed design in order to produce a safe plant. Following general practice, the requirements present the concept of defence in depth, e.g. successive barriers to prevent the escape of radioactive material. In case of the failure of a barrier, design provisions are made available to mitigate the consequences of such failures [3]. Operation: The prime responsibility for the safety of the plant rests with the operating organization. This is the basic concept underlining the requirements for operation. The requirements deal with safety related aspects of operation including: operating limits and conditions, commissioning, structure of the operating organization, operating instructions and procedures, maintenance, testing, inspection, core management and fuel handling, review of operation and feedback of experience, emergency preparedness, radiation protection and decommissioning [4]. 5 Siting: The requirements specified in the siting Code (not yet revised) deal with the evaluation of site-related factors to be taken into account to ensure that the plant-site combination does not constitute an unacceptable risk during the life time of the plant. This includes evaluation of the potential effect on the site of natural and other phenomena that might affect the area (i.e. earthquakes, floods, aircraft crashes, chemical explosions), evaluation of effects of the plant itself on the site (i.e. dispersion of effluents in air and water), and consideration of population distribution and emergency planning. The Code also covers the role of the owner of the future plant and the regulatory body in siting [5]. Quality assurance: The requirements specified in the quality assurance (QA) code provide an efficient management tool that could be used by both the plant management and the regulatory organization to gain confidence in the safety and quality of a nuclear power plant. The QA requirements oblige plant designers, constructors, installers and operators to plan, conduct, and document their work systematically. This allows the verification of all activities not only by physical inspection or testing of hardware in the plant but also through indirect methods such as evaluation of the effectiveness of the respective QA programmes [6]. 1.1.3. IAEA requirements for the governmental level and for the operator [2] There are certain prerequisites for the safety of facilities and activities presented in the Safety Series Documents of the IAEA. These give rise to the requirements presented in Table I that shall be fulfilled by the legislative and governmental mechanisms of member states. They cover the establishment of legislation and regulatory framework including regulator’s independence and authority. They also refer to international safety related conventions, treaties and agreements which need to be taken into account in the legislation such as definition of liabilities in respect of nuclear damage and provision of financial security. They stress also that the regulatory body needs advisory committees, technical support and regulatory research to support its activities. Safety of facilities contains also management of spent fuel and nuclear waste, safe transport of nuclear material and arrangements by governmental emergency response and physical protection. The prime responsibility for safety shall be assigned to the operator. The operators have the responsibility for ensuring safety in the siting, design, construction, commissioning, operation and decommissioning or closure of their facilities, including, as appropriate, rehabilitation of contaminated areas, and for activities using, transporting or handling radioactive material. The radioactive waste generators shall have the responsibility for the safe management of the radioactive waste that they produce. During transportation of radioactive material, primary reliance for safety is put on the use of approved packaging. Compliance with the requirements imposed by the regulatory body does not relieve the operator of its prime responsibility for safety. The operator demonstrates to the satisfaction of the regulatory body that this responsibility has been and will continue to be discharged. 1.1.4. IAEA requirements for nuclear safety legislation [2] Legislation is promulgated to provide for the effective control of nuclear, radiation, waste and transport safety. The IAEA requirements for legislation are presented in Table II. Most of the requirements for the governmental level also appear as requirements for legislation. 6 TABLE I. IAEA REQUIREMENTS FOR THE GOVERNMENTAL LEVEL [2] x To establish a legislative and statutory framework to regulate the safety of facilities and activities; x To establish and maintain a regulatory body which shall be effectively independent from organizations or bodies charged with the promotion of nuclear technologies or responsible for facilities or activities. This is necessary so that regulatory judgements can be made, and enforcement actions taken, without pressure from interests that may compete with safety; x To assign responsibility to the regulatory body for authorization, regulatory review and assessment, inspection and enforcement, and for establishing safety principles, criteria, regulations and guides; x To provide the regulatory body with adequate authority, power, staffing and financial resources to discharge its assigned responsibilities; x To ensure that no other responsibility is assigned to the regulatory body which may jeopardise or conflict with its responsibility for regulating safety; x To ensure that adequate arrangements are made for decommissioning, close out or closure, site rehabilitation and the safe management of spent fuel and radioactive waste; x To ensure that adequate arrangements are made for the safe transport of radioactive material; x To establish, if necessary, advisory committees to assist the government and the regulatory body on safety issues; x To establish governmental emergency response and intervention capabilities; x To ensure the adequacy of physical protection arrangements, where they influence safety; x To provide for adequate financial indemnification arrangements for third parties in the event of a nuclear or radiation accident in view of the potential damage and injury which may arise from an accident; and x To provide for the technological infrastructure necessary to support the safety of facilities and activities, where these are not provided by other organizations. If other authorities, which may not meet the requirements of independence, are involved in the granting of authorizations, it is ensured that the safety requirements of the regulatory body are not ignored or modified in the regulatory process. 1.1.5. Safety objectives and safety criteria for nuclear power plants 1.1.5.1. Safety objectives Establishing and maintaining safety is the main purpose for establishing an adequate framework for surveillance and control of all activities associated with nuclear installations. For the sake of clarity for all parties involved it is therefore a “must” to give them the frame in which they can or have to act. The essential part of this frame is a coherent set of safety objectives. Such a set of safety objectives indicates what has to be achieved, but does not impose or prescribe the way to reach it. The essence of the IAEA requirements on nuclear safety published in the nuclear safety standards documents has been formulated in three overall safety objectives. These three overall safety objectives read as follows [8]. 7 TABLE II. IAEA REQUIREMENTS FOR NUCLEAR LEGISLATION [2] x Set out objectives for protecting individuals, society and the environment from radiation hazards, both for the present and in the future; x Specify facilities, activities and materials that are included in the scope of the legislation and what is excluded from the requirements of any particular part of the legislation; x Establish authorization and other processes (e.g. licensing, registration, notification, exemption), taking into account the potential magnitude and nature of the hazard associated with the facility or activity and define the different steps of the processes; x Establish a regulatory body with authority; x Arrange for funding of the regulatory body adequate for it to function effectively; x Specify the process for removal of a facility or activity from regulatory control; x Provide a procedure for review of, and appeal against, regulatory decisions (without compromising safety); x Allow for the creation of independent advisory bodies to provide expert opinion and consultation for the government and regulatory body; x Set up a means whereby research and development in important safety areas is carried out; x Define liabilities in respect of nuclear damage; x Set out the arrangements for provision of financial security in respect of any liabilities; x Set out the responsibilities and obligations in respect of financial provision for radioactive waste management and decommissioning; x Define what is an offence and the corresponding penalties; x Implement any obligations under international treaties, conventions or agreements; x Define the involvement of the public and other bodies in the regulatory process; and x Specify the nature and extent of retrospective application of new requirements to existing facilities and activities. General nuclear safety objective To protect individuals, society and the environment from harm by establishing and maintaining in nuclear installations effective defences against radiological hazards. Radiation protection objective To ensure that in all operational states radiation exposure within the installation or due to any planned release of radioactive material from the installation is kept below prescribed 8 limits and as low as reasonably achievable, and to ensure mitigation of the radiological consequences of any accidents. Technical safety objective To take all reasonably practicable measures to prevent accidents in nuclear installations and to mitigate their consequences should they occur; to ensure with a high level of confidence that, for all possible accidents taken into account in the design of the installation, including those of very low probability, any radiological consequences would be minor and below prescribed limits; and to ensure that the likelihood of accidents with serious radiological consequences is extremely low. All other principles and criteria relevant to nuclear safety and radiation protection are derived from these three overall safety objectives. In its report [7], the International Nuclear Safety Advisory Group has formulated a number of these derived principles and proposed one possible way of presenting them graphically in a hierarchical presentation and, as they are not independent from each other, showing also their interrelationship. As they are the immediate sources of corresponding safety criteria, they will be considered together with such criteria. In preparing the safety fundamentals, NUSSC went even further in condensing the principles derived from the three basic safety objectives and identified 25 basic safety principles (see Table III), which have been taken up as technical basis for the Nuclear Safety Convention (see Table IV). The defence in depth concept and engineered safety features are dealt with in Section 3. 1.1.5.2. Basic safety principles It is useful to see what kind of safety principles have been presented for nuclear power plants in the safety fundamentals document. Table III summarizes the basic safety principles. These principles should form a basis for national safety criteria (see 1.3.6). The principles for governmental organization are described in 1.1.3 and 1.1.4. The following is an extract of the Safety Fundamentals [8] presenting safety principles for nuclear power plants: Management of safety x Organizations engaged in activities important to safety should establish policies that give safety matters the highest priority, and shall ensure that these policies are implemented within a managerial structure having clear divisions of responsibility and clear lines of communication. x Organizations engaged in activities important to safety shall establish and implement appropriate quality assurance programmes that extend throughout the life of the installation, from siting and design through to decommissioning. x Organizations engaged in activities important to safety shall ensure that there are sufficient numbers of adequately trained and authorized staff working in accordance with approved and validated procedures. 9 TABLE III. 25 IAEA SAFETY PRINCIPLES PRESENTED IN THE SAFETY FUNDAMENTALS Government/Organization x x x x x x x x Legislation Operator’s responsibility Independent regulator Safety policy: safety first QA programmes Competent staff Human performance Emergency response Design of NPP Operation of NPP x Siting x Prevention of accidents x Defence in depth x Proven technology x Man-machine interface x Radiation protection x Safety assessment & independent verification x Commissioning x x x x x x x x x Operational limits and conditions Competent operators & procedures Engineering & technical support Emergency operating procedures Operating experience feedback Waste management Decommissioning Verification: analysis & surveillance Systematic safety reassessment x The capabilities and limitations of human performance shall be taken into account at all stages in the life of the installation. x Emergency plans for accident situations shall be prepared and appropriately exercised by all organizations concerned. The capability to implement emergency plans shall be in place before an installation commences operation. Siting x The site selection shall take into account relevant features that might affect the safety of the installation, or be affected by the installation, and the feasibility of carrying out emergency plans. All aspects shall be evaluated for the projected lifetime of the installation and re-evaluated as necessary to ensure the continued acceptability for safety of site related factors. Design and construction x The design shall ensure that the nuclear installation is suited for reliable, stable and easily manageable operation. The prime goal shall be the prevention of accidents. x The design shall include the appropriate application of the defence in depth principle so that there are several levels of protection and multiple barriers to prevent releases of radioactive materials, and to ensure that failures or combinations of failures that might lead to significant radiological consequences are of very low probability. x Technologies incorporated in a design shall be proven or qualified by experience or testing or both. x The systematic consideration of the man-machine interface and human factors shall be included in all stages of design and in the associated development of operational requirements. 10 x The exposure to radiation of site personnel and releases of radioactive materials to the environment shall be made by design as low as reasonably achievable. x A comprehensive safety assessment and independent verification shall be carried out to confirm that the design of the installation will fulfil the safety objectives and requirements, before the operating organization completes its submission to the regulatory body. Commissioning x Specific approval by the regulatory body shall be required before the start of normal operation on the basis of an appropriate safety analysis and a commissioning programme. The commissioning programme shall provide evidence that the installation as constructed is consistent with design and safety requirements. Operating procedures shall be validated to the extent practicable as part of the commissioning programme, with the participation of the future operating staff. Operation and maintenance x A set of operational limits and conditions derived from the safety analysis, tests and subsequent operational experience shall be defined to identify safe boundaries for operation. The safety analysis, operating limits and procedures shall be revised as necessary if the installation is modified. x Operation, inspection, testing and maintenance and supporting functions shall be conducted by sufficient numbers of adequately trained and authorized personnel in accordance with approved procedures. x Engineering and technical support, with competence in all disciplines important for safety, shall be available throughout the lifetime of the installation. x The operating organization shall establish documented and approved procedures as a basis for operator response to anticipated operational occurrences and accidents. x The operating organization shall report incidents significant to safety to the regulatory body. The operating organization and the regulatory body shall establish complementary programmes to analyse operating experience to ensure that lessons are learned and acted upon. Such experience shall be shared with relevant national and international bodies. Radioactive waste management and decommissioning x The generation of radioactive waste, in terms of both activity and volume, shall be kept to the minimum practicable by appropriate design measures and operating practices. Waste treatment and interim storage shall be strictly controlled in a manner consistent with the requirements for safe final disposal. x The design of an installation and the decommissioning programme shall take into account the need to limit exposures during decommissioning to as low as is reasonably achievable. Prior to the initiation of decommissioning activities, the decommissioning programme shall be approved by the regulatory body. 11 Verification of safety x The operating organization shall verify by analysis, surveillance, testing and inspection that the physical state of the installation and its operation continue in accordance with operational limits and conditions, safety requirements and the safety analysis. x Systematic safety reassessments of the installation in accordance with the regulatory requirements shall be performed throughout its operational lifetime, with account taken of operating experience and significant new safety information from all relevant sources. 1.2. INTERNATIONAL SAFETY RELATED CONVENTIONS 1.2.1. Convention on Nuclear Safety 1.2.1.1. Introduction Prior to adoption of the Convention on Nuclear Safety (CNS) [11], the control and regulation of nuclear energy for peaceful purposes was governed almost exclusively by the domestic national laws of states using nuclear technology. An important result of the Convention was to bring the subject of nuclear safety within the ambit of international law for the first time. When a state adheres to an international treaty or convention, such as the CNS, that action has both internal and external legal consequences. Adopting an international instrument requires a state to conform its internal laws and regulations to the terms of that instrument. However, by adopting the instrument, a state also incurs obligations to all other states that are party to the instrument. This means that a state’s activities regarding nuclear safety are properly subject to review and assessment by other states, through the processes and procedures contained in the CNS. Under this legal regime, states now have a right (indeed, an obligation) to make judgements about how other States are conducting their nuclear safety activities, and whether they are complying with their obligations under the convention. Three aspects of the Convention on Nuclear Safety are important in understanding its status as an international law instrument. First, it is useful to provide a context for the CNS by reviewing the historical and political background of its development and to outline its basic character under international law. Second, an article-by-article review of the convention’s substantive provisions is necessary to clarify the overall structure and content of its obligations. And third, a discussion of the procedural mechanism set forth in the CNS is essential to understand how it is implemented, both within States and multilaterally. 12 1.2.1.2. Historical and political background Origins of the Convention on Nuclear Safety As stated, from the beginning of the nuclear age, regulation of the safety of nuclear facilities was deemed a matter of strictly national jurisdiction. However, the major reactor accident at Chernobyl in the USSR (now Ukraine) in 1986 fundamentally changed the thinking of both the public and governments on this approach. Because of the transboundary impacts of the accident, many governments urged that an international legal instrument be adopted to codify basic measures that States should follow to ensure an appropriate level of safety at their nuclear installations. Immediately following the accident, a number of member states of the IAEA called for negotiation of a nuclear safety convention. However, at that time there was insufficient political will to go forward, and the initiative languished for several years. Negotiation of the CNS In September 1991, the General Conference of the IAEA adopted a resolution requesting the Director General to establish an informal open-ended working group to develop the text of a safety convention. The terms “informal” and “open-ended” meant that the convention text would be developed by a body comprised of safety experts, rather than governmental representatives with firm political instructions, and that the body would be open to all interested IAEA member states. The work of the expert group was not a formal diplomatic negotiation, but an extended technical and legal process conducted in some nine meetings over a 3 year period. This approach permitted consultations on the text to be quite flexible; less shaped by political considerations than the technical and managerial principles of good practice on nuclear safety. The working document for the CNS was the IAEA Safety Fundamentals document which reflected a consensus of technical experts over the previous years. The fundamental task of the working group was to convert the principles in this nonbinding guidance document into provisions that states would be willing to accept as binding under international nuclear law. This process obviously involved many compromises and reformulations. For this reason, the CNS text differs in some respects from the underlining safety fundamentals documents. After the open-ended working group produced a basic text, a more formal phase of the negotiations was needed to transform the informal document into an instrument that could be codified into international law. In June 1994 a Diplomatic Conference was convened to enable accredited government representatives to produce such an instrument. The month-long Diplomatic Conference considered a wide range of controversial issues, and was able to adopt a consensus text. The Convention was opened for signature by States at the September 1994 IAEA General Conference. However, even after acquiring a number of signatures, a convention is not legally effective until the required number of States have completed their domestic procedures to formally approve it. By 1996 the required number of countries (in this case, 27) had formally completed their internal reviews and expressed approval of the text. Thus, the CNS entered into force as binding on its parties in October 1996. Some countries (including the United States of America) delayed approval because of complex internal procedures or policy reasons. The CNS has now been adopted by substantially all countries operating nuclear power reactors and several that do not. At the time this book was prepared, there is only one country that has a nuclear power installation and is not a CNS Party. 13 Basic character of the Convention The basic character of the Convention is an important issue. International instruments come in different forms, and the CNS could have been much different in its fundamental approach to enhancing nuclear safety worldwide. One type of instrument could be characterized as a “Regulatory Convention”. Such a Convention would have established reasonably concrete rules for States that would be subject to supervisory measures implemented by an international secretariat. An example of such an instrument is the Nuclear Non-Proliferation Treaty (NPT). It establishes an obligation for a State party to accept the application of IAEA safeguards to certain nuclear activities under its jurisdiction. And the IAEA has established and maintains a professional Department of Safeguards to conduct inspections and other procedures in individual countries. During negotiation of the CNS, it was clear that few countries wanted a regulatory convention in the field of nuclear safety. They were willing to accept a number of obligations under international law, but were not willing to have those obligations monitored or enforced by an international regulatory body. The IAEA role in CNS implementation is, thus, quite limited — unlike the NPT. The IAEA has promulgated important safety guidance documents that help in the application of the Convention’s substantive obligations. And the IAEA conducts safety missions, at the request of its member states, that can help demonstrate compliance with a nation’s CNS its obligations under the Convention. However, these missions are not inspections, and their results do not amount to a regulatory system. A second type of instrument under international law could be called a “Sanctions Convention”. Such conventions or instruments establish very clear obligations that, if violated, can lead to stringent penalties or enforcement measures by other parties. Many such instruments cover commercial or trade relationships, where violations can result in financial penalties or the withdrawal of economic benefits. During negotiations of the CNS, it became clear that involved experts and delegations were not interested in a sanctions regime where States parties would be subject to specific penalties for lack of compliance. The rejection of the “regulatory” and “sanctions” approaches led the negotiators to focus on a third alternative. For lack of a better term, that came to be known as an “Incentive Convention”. An “Incentive Convention” is basically an instrument that contains a set of international obligations and an implementation process that produces political pressure on a State to comply with its obligations conscientiously and rigorously. In the case of the CNS, implementation is grounded in a so-called “peer review process” in which states prepare national reports demonstrating their compliance with the CNS and other countries are given an opportunity to review and comment on those reports at periodic meetings of the parties. This “peer review process” was judged most likely to encourage conscientious application of the CNS, without the disadvantages of a “regulatory” or “sanctions” approach. 1.2.1.3. Initial provisions A number of initial provisions in the CNS are important to understanding how the instrument is to be implemented. 14 Preamble of the Convention The preamble of an international Convention is set forth at the beginning of the instrument to explain its underlying factual and policy bases. The CNS preamble consists of ten paragraphs, only a few of which are of particular interest. Paragraph (iv) of the preamble establishes the desire of the parties to promote an effective nuclear safety culture. This is the only place in the Safety Convention where the term safety culture is mentioned. Safety culture is a central concept for the enhancement of nuclear safety. However, the concept is difficult to define and inherently impossible to establish as a specific international law obligation. Nevertheless, the CNS parties felt that the importance of safety culture should be emphasized, recorded the need to promote the concept in the convention’s preamble. Paragraph (v) of the preamble recognizes that accidents at nuclear installations have the potential for transboundary impacts. This is one of the fundamental reasons why it is desirable to have an international treaty covering the subject. In a very important paragraph (viii), the preamble describes the relationship of fundamental safety principles developed by the IAEA to the international law obligations contained in the CNS. Some governments wanted to have the Convention including a provision that would have adopted IAEA Safety Standards as international law obligations. However, as mentioned earlier, most States were not willing to give principles developed as voluntary guidelines a binding legal effect. However, most states agreed that the CNS should include some recognition of the value of IAEA Standards in achieving safety. Paragraph (viii) in the preamble seeks to accomplish this objective in the following statement: “recognizing that this Convention entails a commitment to the application of fundamental safety principles for nuclear installations rather than of detailed safety standards, and that there are internationally formulated safety guidelines which are updated from time to time and so can provide guidance on contemporary means of achieving a high level of safety”. There was also general agreement that IAEA Safety Standards could be referred to by parties in explaining how they had implemented specific articles of the convention. Therefore, IAEA Safety Standards have been imported indirectly into the CNS as an efficient way of demonstrating how a party has complied with its obligations. Paragraph (viii) recognizes another important aspect of nuclear safety; namely, that technical and management approaches evolve over time. One of the concerns expressed by some experts in negotiating the CNS was how the instrument could codify standards or rules, but do so in a way that would enable them to adjust to change. The CNS parties acknowledge this issue in paragraph (viii) of the preamble, which states the view that practical implementation of the CNS can benefit from referring to the evolving body of internationally formulated (i.e. IAEA) standards to help achieve the Convention’s objectives. Objectives of the Convention Although the provisions of international conventions that define their objectives are not — strictly speaking — obligations, they are important as a means for interpreting and applying these legal instruments. If an obligation in a convention is unclear or contradictory, the objectives of the instrument — as stated in an introductory article — can be used to interpret its proper meaning. 15 In Article 1 the CNS explicitly identifies the following three objectives: x To achieve and maintain a high level of nuclear safety worldwide through the enhancement of national measures and international co-operation including, where appropriate, safety-related technical co-operation; x To establish and maintain effective defences in nuclear installations against potential radiological hazards in order to protect individuals, society and the environment from harmful effects of ionizing radiation from such installations; To prevent accidents with radiological consequences and to mitigate such consequences should they occur. x Scope of the Convention A threshold issue for any legal instrument is to determine what activities it will cover. This basic issue was debated in both the expert working group and at the Diplomatic Conference. Many countries sought a broad scope of coverage, to include not only power reactors, but also research and test reactors, fuel cycle facilities, nuclear waste management and even military activities. Other countries felt that including several major subjects in one instrument would create difficulties: first, in obtaining approval of the CNS under their national systems; and second, to in implementing an efficient and effective review process under the CNS. It was finally decided that the primary focus should be on nuclear power reactors: first, because such installations posed the greatest risks of major injury (including transboundary damage); and because a clearer expert consensus had been developed on fundamental safety elements for power reactors. Therefore, Article 3 defines the scope of the Convention as covering nuclear installations (defined in Article 2.i) as land based civil nuclear power reactors). The CNS includes one limited exception to the exclusion of nuclear waste; namely, it also covers storage, handling and treatment facilities for radioactive materials that are on the same site and directly related to the operation of the installation. Implementing the CNS through national law Article 4 of the Convention states that a contracting party “shall take, within the framework of its national law, the legislative, regulatory and administrative measures and other steps necessary for implementing its obligations under this convention.” This provision explicitly recognizes the “internal” legal effect of the CNS mentioned earlier. Some international lawyers might argue that Article 4 is not needed, because international law principles require every country to implement its treaty obligations in good faith, which includes making any necessary changes to domestic legal provisions. Safety of existing installations The most difficult article in the CNS is Article 6: Existing nuclear installations. It was the most contentious provision in the convention, as well as the last article to be agreed at the diplomatic conference. Article 6 deals with the issue that engendered the political pressure to negotiate the Convention in the first place; namely, how to ensure the safety of nuclear installations constructed to earlier standards. In reality, this article covers all power reactors in 16 operation at the time the CNS entered into force. However, its real focus is reactors constructed without robust containment structures and without application of other modern “defence-in-depth” principles. The primary debate was over what actions countries should take regarding installations that arguably lack modern safety features. Some experts argued that an installation should be considered “safe enough” if it complied with requirements existing at the time it was constructed and first operated. Most parties, however, felt that such an approach would be inconsistent with the primary objective of CNS; namely, to raise nuclear safety levels. The requirements of Article 6 fall into four categories. x First, a state party is to take appropriate steps to ensure that safety is reviewed as soon as possible. This means that operators and regulators must examine the safety case for existing reactors. The article does not detail how this is to be done. However, by implication, the review must be based on up-to-date standards. x Second, a state party must ensure that all reasonably practicable improvements are made to upgrade safety. This does not mean that all measures to improve safety must be taken, but that those that are reasonable from a technical, economic, management perspective should be implemented in a timely manner. x Third, if a state party cannot upgrade its nuclear installations to this new level of safety, it has to make plans to shut them down. x Fourth, the timing of shut-down can take into account various factors, including the whole energy context, possible alternatives and social, environmental and economic impact. The most contentious debate revolved around defining the factors to be considered in shutting down a reactor that would not meet the current highest level of safety. The factors finally adopted obviously represent a compromise between States that wanted a very stringent safety-related standard for shutdown and those that wanted other factors to be considered. In the final analysis, the extended list of factors that may be considered includes so many nonsafety-related elements that the provision fails to provide any precise guidance on whether a particular facility should be shut down. However, the presence of Article 6 in the CNS means that parties must include information on their reviews of existing facilities in their respective national reports and must justify any decision to continue to operate installations that do not meet current safety standards. 1.2.1.4. Technical provisions of the CNS Having considered the history of the Convention and some of the initial provisions that describe its basic character and approach, it is necessary to review its so-called “technical articles”; namely, those that contain the specific obligations of parties under the CNS regime. Legislative and regulatory framework The first section of technical articles deals with general safety considerations, beginning with the important subject of legislative and regulatory framework. 17 Article 7 requires a State Party to establish and maintain a legislative and regulatory framework for nuclear safety, a framework that includes the classic elements of regulation: safety requirements and regulations; a system of licensing; inspection and assessment; and an enforcement process. Article 8 sets forth requirements for the regulatory body, including the essential elements of adequate authority, competence and financial and human resources to fulfil its assigned responsibilities. This article also treats the very important issue of the regulatory independence, stating that contracting parties must take appropriate steps to ensure an effective separation between the functions of the regulatory body and those of any other body or organization concerned with the promotion or utilization of nuclear energy. This “effective separation” principle lies at the heart of regulatory independence. Article 9 is a very important codification of the well-recognized principle that the operator of the facility has the primary responsibility for safety. Although other actors in the nuclear field (architects, engineers, regulators, contractors, suppliers) have important roles to play in achieving safety, the operating organization is the entity that must finally ensure that an installation is safe. General safety considerations The general safety consideration part of the Convention consists of seven separate provisions (Articles 10–16): priority to safety; financial and human resources; human factors; quality assurance; assessment and verification; radiation protection; and an important article on emergency preparedness. These articles have been drafted as broad principles and apply to all aspects of a nuclear installation. Since most are self-explanatory, their language will not be reviewed in detail. As will be evident, they codify well-understood concepts in nuclear safety, such as the ALARA (as low as reasonably achievable) principle for radiation protection (Article 15). It is also interesting to note, however, that this section contains the only provision specifically directed to States that do not operate nuclear facilities. Article 16.1.3 requires parties that do not have a nuclear installation on their territories to prepare and test emergency plans to cover possible radiological emergencies resulting from a nuclear installation in the vicinity. Safety of installations The next section of the Convention (Articles 17–19) covers familiar safety-related subjects, including siting, design, and operation of nuclear installations. Article 18 codifies other familiar safety principles, including defence in depth, human factors and the manmachine interface. Article 19 — Operation is the longest technical article in the Convention, containing eight separate sub-articles that were originally drafted as separate articles. This article codifies a number of familiar nuclear safety principles, including: operational limits (sub-article ii); incident reporting (sub-article vi); analysis of operating experience (sub-article vii); and waste minimization (sub-article viii). Table IV summarizes these provisions, not all of which will be discussed in detail. 1.2.1.5. Implementation process under the CNS Because of its “incentive” character, the CNS review process lies at the heart of the convention. The basic model for this process was the review process under the Nuclear Non 18 Proliferation Treaty. Many international conventions or treaties conduct review processes. Each such process is somewhat different, reflecting the particular subject matter and policy considerations in the field of its coverage. Under the CNS, the parties were constructing — for the first time — a review process to apply to nuclear reactor safety. Basic requirements for the review process The provisions dealing with how this review process is to be structured are found in Chapter 3 — “Meetings of the Contracting Parties” (Articles 20–28). These provisions are extremely general, leaving most of the decisions concerning the form and content of the review process to the procedural rules that will be developed later. Several important provisions should be noted: x The first authorizes the formation of sub-groups for the purpose of reviewing specific subjects contained in the national reports mandated in Article 5 (Article 20.2). As will be seen, this Article 20.2 provision was basically re-written by the parties when they decided that sub-groups would not be organized by subject. TABLE IV. TECHNICAL PROVISIONS OF THE CONVENTION ON NUCLEAR SAFETY Legislation and regulation x Legislation and regulatory framework x Safety requirements and regulations x System of licensing x Regulatory inspection and assessment x Enforcement x Regulator with authority x Independent regulator x Operator’s responsibility General safety consideration x Priority to safety x Financing for safety x Competence of staff x Human performance x Quality assurance x Safety assessment x Verification: analysis and survey x Radiation protection x Emergency preparedness Safety of installation x Siting: effect of environment to NPP x Siting: effect of NPP to environment x Siting: re-evaluation/consulting x Design: defence in depth x Design: proven technology x Easily manageable operation x Initial authorization and commissioning x Operational limits and conditions x Procedures for operations, etc. x Emergency operating procedures x Engineering and technical support x Incident reporting x Operating experience feedback x Waste management x A second provision says that contracting parties shall have a “reasonable opportunity” to discuss the reports of others Article 20.3). The article leaves unspecified what should be considered a “reasonable opportunity”. x The third requirement is that the parties will conduct a preparatory meeting within six months after entry in the force of the Convention to develop the procedures for the review process. (Article 21.1). Also, the first review meeting is to be conducted no later than two 19 and half years after entry into force (Article 21.2). The interval between the meetings should be no longer than 3 years (Article 21/3). x Procedural arrangements for the meetings of the parties are to be contained in rules of procedure and financial rules to be adopted by a consensus of the parties (Article 22). x An important provision (Article 24) requires parties to attend meetings, one of the few concrete obligations (in addition to preparing a national report) in the CNS. x Article 27 permits parties to seek confidentiality of information they provide. x And finally, Article 28 provides that the IAEA “shall provide the secretariat” for the meetings. Phases of the CNS review process Even a close reading of Chapter 3 of the CNS will not provide the reader with a clear picture of how the Convention’s review process is to be conducted. To simplify a somewhat complicated subject, the review process can be divided into six phases: x Phase 1 — Each State party prepares a national report, describing how it has met the obligations contained in the Convention; x Phase 2 — States parties receive the national reports of all other parties and review them (this means that each country must consider some 50 reports); x Phase 3 — States parties develop questions and comments that are transmitted to the relevant countries through the respective country group co-ordinators not less than 60 days before the meeting; x Phase 4 — States parties attend the CNS review meeting in Vienna, where they discuss the reports of other parties in country groups, present their own national reports and respond to questions and comments submitted prior to the meeting and any made during country group sessions; x Phase 5 — Country group rapporteurs develop an oral report to be delivered at the final plenary identifying main issues, themes or conclusions arising from group discussions; x Phase 6 — The entire meeting of the parties considers and approves by consensus a summary report of the overall meeting prepared by the President. National reports Article 5 contains one of the few precise obligations in the convention; namely, to prepare and make available a national report, including a self-assessment of steps and measures taken to implement the convention. Failure to prepare such a report constitutes one of the few clear cases in which a violation of the CNS can be demonstrated. Neither the CNS text nor the procedural rules provide much guidance on the form, content or length of these reports. The preparatory meeting adopted rule 40.2, which recognizes that each party has the right to submit reports with the “form, length and structure” it believes necessary. With 45 countries preparing national reports, a very complex set of documentation could have resulted, making the task of comparing and contrasting the nuclear safety situation in different 20 countries very difficult. However, most countries did what is reasonable, following the basic outline of the CNS articles. Also, at the first review meeting, most national reports turned out to be less than 100 pages in length. Neither the CNS text nor the procedural rules indicate who is responsible for preparing the national reports? The Convention only establishes a national obligation to report, an obligation that can be implemented by any nationally-designated entity. The issue of who prepares the report bears an interesting relationship to Article 9, which provides that primary responsibility for the safety of a nuclear installation rests with the operator. Given this provision, one might have expected national reports to be prepared in substantial part by operating organizations. In fact, at the first review meeting, national reports were prepared by the regulatory organization in each country. Country groups When a national report is prepared and submitted, what happens at the meeting to implement the “peer review” that lies at the heart of this “incentive” convention? One of the central issues debated at the preparatory meeting of CNS I was whether you would organize sub-groups on the basis of subject matter (as the language of Article 20.2 suggests) or on some other basis, such as geographic grouping or technology (e.g. certain reactor types). A consensus finally concluded that safety should be viewed as a whole for each country. National reports should be reviewed comprehensively to assess the overall status of nuclear safety in each country. It follows that the best way accomplish this overall review is to form sub-groups organized by countries. The preparatory meeting basically decided how many countries could be reviewed in the time available (two weeks) and divided the 45 parties into a corresponding number of groups (six), each with 7 or 8 members. This arrangement allowed one day for the review of the national report of each nuclear -power state, with less time for non-nuclear-power states. In assigning countries to groups, it was decided that diverse groups would produce a better review. Therefore, countries were assigned according to the number of reactors they operated. The country with largest number of reactors was assigned to group 1; the country with the second largest number to group 2; the country with the third largest number to group 3; and so forth. After an introductory presentation by the reporting country, the country groups discussed each national report in detail. This discussion had been previewed in questions and comments submitted previously through designated country group coordinators. Confidentiality A contentious issue during the CNS negotiations concerned whether some or all of the CNS process, including national reports should be kept confidential. The issue is important because of its relation to the central concept of the Convention as an “incentive” instrument. Many governments argued that, unless national reports were made public, and the CNS review also conducted openly, the Convention would not achieve one of its important — though unstated — objectives: to increase public confidence in the safety of nuclear installations. Other governments argued strongly that a public review process would be a disincentive for many countries to be candid about the problems they might be experiencing in nuclear safety. The result was that countries were allowed to submit confidential reports (Article 27.1 and 21 27.2) and that the debates during the review of reports would be confidential (Article 27.3). However, in the CNS I process, no national report was submitted as confidential. Indeed, most of the national reports were placed by their countries on the Internet. However, the discussions in country groups and plenary debates at CNS I were held in confidence, with only the summary report under Article 25 made public. Languages The issue of what languages could be used in the CNS review was expected to create difficulties, given the fact that the United Nations system recognizes six official languages. It was recognized that interpretation of the meeting and translation of documents into all six languages would be enormously expensive, far beyond the budgets of the parties or the IAEA. To cut the cost of review, there were proposals to adopt a single working language. Article 26 preserves the principle that all official languages are equal, providing that the languages of the meetings of the CNS contracting parties shall be Arabic, Chinese, English, French, Russian and Spanish. However, a pragmatic and financially acceptable compromise was provided to permit adoption of one or more working languages under the rules of procedure. The rules of procedures for the first meeting provided, that in any meeting of the review process a country can request one of the official languages. However, most of the sessions were conducted in English — as the primary working language — with some sessions being conducted with Russian translation. This made the costs of interpretation/translation much less expensive. Rapporteurs’ oral reports and records of the CNS meeting Under the procedural rules, a oral report by a rapporteur from each country group was to be made at the final plenary meeting. These oral reports were to provide the basis for the written summary report provided by Article 25. It was decided that notes upon which the oral reports be prepared by the rapporteurs would be kept as permanent records by the IAEA Secretariat. Country group sessions were to be conducted on a confidential basis, with no records. The issue of record-keeping for plenary sessions was treated separately under rule 42, where it was agreed that plenaries would be electronically recorded. However, due to a bureaucratic oversight, no such recordings were made, except for the final day’s plenary. As a result of these procedural decisions, the documentary records of the CNS review meetings are very sparse. The most substantive information is contained in the oral reports of country group rapporteurs, whose notes are available only to CNS parties. Summary report of the review meeting Article 25 of the CNS provides that the contracting parties “shall adopt, by consensus, and make available to the public a document addressing issues discussed an conclusions reached during the meeting.” With 45 separate states represented at the meeting, any one of which could block consensus on the wording of such a report, it is — perhaps — surprising that the President of the first CNS review meeting (Mr. Lars Högberg of Sweden) was able to produce an eight-page summary report that achieved consensus. Results of the first CNS review meeting (CNS I) The first review meeting of the contracting parties of the CNS, conducted in April 1999 was attended by 45 contracting parties. As discussed previously, the primary achievement of this meeting was to establish detailed procedural and financial arrangements for a process that 22 was left quite vague in the text of the Convention itself. Except for three non-nuclear countries, all parties met their fundamental obligations to prepare national reports (Article 5) and to be represented at the meeting (Article 24.1). These national reports, most of which were made public (many on the world wide web), represent a useful record of the state of nuclear safety worldwide as of the end of the last millennium. They provide a baseline for future assessment of whether levels of nuclear safety in any particular country, or generally, are being raised or are deteriorating. As also mentioned, the country groups at CNS I conducted active discussions of the nuclear safety programmes of each party, with oral reports in the final plenary by group rapporteurs. The final summary report prepared by the President and agreed by consensus also contains some indicative observations on matters important to enhancing nuclear safety. Some of the most notable are the following: x The legislative framework is well established in most countries; x Some countries who started their nuclear programme some decades ago have found that their legislation now needs updating; x All contracting parties had established regulatory bodies. For some countries, questions were raised as to the effective independence, administrative position, and the human and financial resources of their regulatory bodies; x The status and position of the regulatory bodies remains an important topic to be dealt with in future national reports and review meetings. Special attention should be given to the development of assured human and financial resources; x The advantages and limitations of regulations of a detailed prescriptive nature as compared to less prescriptive, goal oriented approaches and the complementary use of risk based assessments were discussed. Although no preferable approach was identified, some countries have agreed to review their experience and report at the next review meeting. The second CNS review meeting (CNS II) The schedule for the second CNS review meeting is April 2002. A preparatory meeting conducted in September 2001 decided to make only very modest adjustments to the process used for the first meeting in 1999. The rules of procedure and financial rules for this process were amended only to provide that the chairs and rapporteurs in any country group are not nationals of any state in that group. This addresses the potential conflict-of-interest problem raised at the first meeting, where — in some few instances — country group chairs or rapporteurs took decisions concerning the safety record of their own countries. As a result of new parties and some changes in the nuclear programme of states parties, the composition of country groups at the CNS II are different. Some differences of emphasis in the review at CNS II can be expected. At CNS I, substantial attention was paid to the legislative and regulatory framework of each party; a threshold issue that need not be repeated, unless a country has revised its laws or reorganized its regulatory institutions. 23 1.2.2. Other international nuclear safety related conventions 1.2.2.1. Convention on Early Notification of a Nuclear Accident [12] The Convention on Early Notification of a Nuclear Accident establishes a notification system for nuclear accidents that have the potential for international transboundary release that could be of radiological safety significance for another state. The objective of the Convention is to provide relevant information about nuclear accidents as early as possible in order that transboundary radiological consequences can be minimized. The scope of the Convention is any accident involving facilities or activities from which a radioactive release occurs or is likely to occur and which may result in a transboundary release that could be of radiological safety significance for another state. Facilities or activities involved are: nuclear reactor; fuel cycle or waste handling facility or respective transportation and storage; manufacture, use, transport or disposal of radioisotopes. Obligations of contracting parties are the following: A state party having a nuclear or radiological accident going on in its territory shall: x Make the accident known to the IAEA and other states parties competent authorities and points of contact; x Notify those states which may be affected the nature, time of occurrence and exact location of the nuclear accident; x Provide promptly the states affected with such available information relevant to minimize the radiological consequences; x Respond promptly to a request for further information or consultations sought by affected state party; x Ensure the provision of further information: e.g. Facility or activity, cause and foreseeable development, meteorological and hydrological conditions, and off-site protective measures taken or planned; and x To supplement information at appropriate intervals. Obligations to the IAEA are the following: x To ensure confidentiality of confident information (applies also to other state parties); x To maintain an up-to-date list of points of contact and provide it to others; x To assist non-nuclear countries in investigations concerning radiation monitoring systems; x To provide depositary functions. 1.2.2.2. Convention on Assistance in the case of a Nuclear Accident or Radiological Emergency [12] The Convention on Assistance in the case of a Nuclear Accident or Radiological Emergency sets out an international framework for co-operation among parties and with the 24 IAEA to facilitate prompt assistance and support in the event of nuclear accidents or radiological emergencies. Objectives of the Convention are: x To establish an international framework to facilitate prompt provision of assistance in the event of a nuclear accident or radiological emergency to mitigate its consequences; x States parties shall co-operate between themselves and with the IAEA to facilitate prompt assistance; x States parties may agree on bilateral arrangements for preventing or minimizing injury and damage. Scope of the Convention is the following: In the event of a nuclear accident or radiological emergency, whether or not such an accident or emergency takes place in one’s own country, a state party may call for assistance from any other state, IAEA or other international intergovernmental organizations where appropriate. Obligations of contracting parties are as follows: x A requesting state party shall specify the scope and type of assistance needed and provide the information necessary for determining the extent of assistance to be given; x A state party to which a request is directed shall promptly decide and notify whether it is in a position to render the assistance requested and in which extent; x IAEA shall respond to a request for assistance, make available appropriate resources, transmit promptly the request to other states and international organizations and coordinate the assistance at international level; x The assisting state shall, designate a person responsible for staff and equipment delivered, co-ordinate the assistance relating medical treatment, make efforts to co-ordinate release of information; x The requesting state shall co-ordinate the assistance in its territory, provide local facilities and services for effective administration, ensure the protection of personnel and equipment delivered, facilitate entry, stay and departure of personnel, ensure the ownership and return of equipment, afford privileges and immunities to personnel. The state parties shall inform points of contact to the IAEA and others, identify and notify the IAEA about experts, equipments and materials which could be delivered, protect the confidentiality of confidential information, facilitate transit through its territory of duly notified personnel, and co-operate to facilitate the settlement of legal proceedings and claims. The IAEA shall: x Collect and disseminate information concerning experts, equipment and materials available, x Develop methodologies and techniques to response to nuclear accidents; x Assist a state party in preparing emergency plans and appropriate legislation; x Develop training programmes for personnel; 25 x Transmit requests for assistance and maintain an up-to-date list of points of contact; x Establish and maintain liaison with relevant international organizations; x Offer its good offices in the event of accident and perform depositary functions. 1.2.2.3. The Joint Convention on the Safety of Spent Fuel Management and on the Safety of Radioactive Waste Management The Joint Convention on the Safety of Spent Fuel Management and on the Safety of Radioactive Waste Management was adopted at a Diplomatic Conference in September 1997 and has been put into force 18 June 2001 [13]. Preamble of the Convention presents the following background: Radioactive waste should be disposed of in the state in which it was generated whilst recognizing that safe and efficient management might be fostered through agreements among contracting parties. Any state has the right to ban import of foreign spent fuel and radioactive waste. Also the importance of informing the public on the issue has been recognized. Application of relevant safety standards should be promoted and the international control system should be strengthened. Scope of the Convention covers Safety of Spent Fuel and Radioactive Waste Management excluding off-site transportation and discharges. Each contracting party shall take appropriate steps to ensure that individuals, society and the environment are adequately protected against radiological hazards. Safety aspects are continuously taken into account. Each contracting party shall take legislative, regulatory and administrative measures and other steps necessary to implement its obligations. Regulatory body should have an adequate authority, competence and financial and human resources to fulfil its assigned responsibilities and have effective independence from other functions. Prime responsibility rests with the holder of the licence or with contracting party if there is no license holder. Each contracting party shall submit for review a report to each review meeting of contracting parties. The report shall address the measures taken to implement each of the obligations of the convention. The report should address contracting party’s spent fuel management policy and practices, radioactive waste management policy and practices, criteria used to define and categorize radioactive waste and include a list of spent fuel management and waste management facilities. The IAEA shall: x Provide the secretariat for the meetings of the contracting parties, convene, prepare and service the meetings; x Transmit information received or prepared in accordance with the convention; x Provide other services in support of meetings as requested by consensus; x Be the depository of the convention. 26 1.2.2.4. Convention on civil liability for nuclear damage Following the Chernobyl accident, the IAEA initiated work on all aspects of nuclear liability with a view to improving the basic conventions on Civil Liability for Nuclear Damage and establishing a comprehensive liability regime. In 1988, as a result of joint efforts by the IAEA and OECD/NEA, the joint protocol relating to the application of the Vienna Convention and the Paris Convention was adopted. The joint protocol established a link between the Conventions combining them into one expanded liability regime. Parties to the joint protocol are treated as though they were parties to both conventions and a choice of law rule is provided to determine which of the two conventions should apply to the exclusion of the other in respect of the same incident [14]. 1.3. NATIONAL REGULATORY FRAMEWORK 1.3.1. The state, its structures and its duties The state is basically characterized by its sovereignty, which is the basis for establishing an orderly society. One way of realising and maintaining such a society rests on adequate structures (national authorities, social, economical and/or industrial organizations) and on fulfilling corresponding duties. Usually, these duties and structures are distributed in four levels according to their nature and the competencies they need for implementation. The first three levels involve the national authorities, namely: (1) the legislative level (parliament); (2) the executive level (government); (3) the judiciary level (court). These are the regulators. The fourth level has a different nature and covers the many social, economical and industrial aspects; it includes all those (individuals and organizations) living and acting under the law of the state in various areas such as industry, trade, handicraft, business organizations, agriculture, etc. At that fourth level, we find all those that have to or want to do some “business”. They are the regulated. To illustrate this in the nuclear energy perspective, it is useful to mention the main functions, duties and responsibilities of organizations (and individuals) at these different levels. The legislative (parliament) defines and promulgates the legislative frame in which man and society can develop initiative and activities, (e.g. use of nuclear energy). It sets (by legislation) an acceptable frame to allow such activities, i.e. giving individuals or organizations the freedom to undertake such activities, but also setting limits to this freedom, so as to ensure protection of other people and society. The parliament establishes further the competence and gives the means to (legally) control activities. The government (executive) implements the legislation (e.g. though execution of control and surveillance of nuclear facilities); it creates adequate conditions for beneficial activities (e.g. adequate education). The government is further responsible for ensuring that any and all activities remain within the legislative frame, within the acceptable limits and harmless to others. As a consequence, the government has the competence and duty to control such activities and the power to intervene in order to prevent harmful evolution (e.g. though licensing, review and assessment, inspection and enforcement). 27 The court (judiciary) will judge, if necessary, the legality of decisions and actions and make decisions in cases of contradictory opinions among the “regulated” or between the regulator and the regulated. Concerning the fourth level, covering the whole of the regulated industry, which is very broad, a short characterisation would be either trivial or incomplete; some consideration will be given below in the Chapter on “responsibilities of the four main actors” in connection with the industry in charge of implementing a nuclear energy programme. In the implementation of a national nuclear energy programme, the key-elements are then: the state and the people of state, the state's legislative (parliament) and the state's executive (government), various governmental bodies, in particular the regulatory body (for nuclear safety), and the industry (involving organizations such as utilities and manufacturers). Concerning the conditions of success of performance, a few rules have to be applied and respected: x The role of each organization has to be clearly defined; x Each organization has to know perfectly its role and has to have competence; x Each organization is responsible for its own actions; x Co-operation and co-ordination are to be ensured for the success of the performance; x Each organization knows and respects the role of the others (i.e. responsibilities and competence of the others). The word “responsibilities” appears in many aspects as an important key word. Responsibilities are in particular always characterised by the following: x Responsibilities must be clearly defined; x Responsibilities cannot be shared; x Responsibilities cannot be delegated. When an organization bears a specific responsibility, it is always on individuals belonging to that organization that duties and responsibilities will fall. These are the duties to — and the responsibilities for — implementing the actions necessitated by taking charge of the organization's responsibility. These duties will fall first on the organization's head, who may and usually will delegate parts of the actual work to other individuals within the organization. But to be noted is the following: despite the distribution of tasks to a set of individuals — and of the associated individual responsibilities — the organization as such remains fully responsible for the whole undertaking, and the organization's head remains fully responsible for the whole work done by his personnel. The nuclear safety convention, recognising implicitly this, underlines that the state is responsible for all nuclear installations established on the territory over which it has jurisdiction. Implementation of this responsibility takes place at several levels and in different areas. In particular, the responsibility for safety lies with the operating organization. The other organizations are responsible to establish and maintain adequate conditions so that the operating organization can fulfil its responsibilities successfully. 28 1.3.2. Responsibilities of the four main organizations Looking in more detail at the roles of these four organizations we identify the main characteristics of their duties and responsibilities as well as the interrelationships at the implementation level. 1.3.2.1. Legislative (parliament) The legislative (parliament) is responsible for establishing the necessary legislative framework. That means: x To allow development of the use of nuclear energy (if the nation has decided to do so). That means practically to facilitate the realisation of the nuclear energy programme (promotion); and x To control through dedicated state's (governmental) organs, i.e. regulatory body, the realisation of the nuclear energy programme or the operating organization(s), in order to ensure the protection of the population against the associated risk. These two tasks are not to be opposed to each other, but they have rather to be considered as complementary. This is essential and leads to the necessary requirement of independence of the various organizations. The second task covers one aspect of implementation and responds to the statement expressed in the nuclear safety Convention with the phrase “The state is responsible for nuclear installations”. 1.3.2.2. Government The government, which is the executive that must implement the state's duties and activities within the frame established by the legislative (parliament), is for fulfilling the following global tasks: x Establishing and maintaining the conditions necessary for controlling from the safety viewpoint the implementation of the “nuclear energy programme” at all its stages (i.e. siting, construction, commissioning, operation and decommissioning). This means enacting an adequate legal framework. x Establishing and maintaining the dedicated state's organs (regulatory body) to implement the state's surveillance and control of nuclear energy use within the legislative and regulatory framework. This implies among other things: establishing the legal power of the regulatory body as well as assuring adequate resources in manpower and funding for its efficient functioning. x Protecting of the population against the risk associated with the use of nuclear energy, developing and establishing the regulatory framework to govern efficiently the state's surveillance and control of all stages of the nuclear energy programme. With respect to the legal framework, there are four primary objectives of the legislation; namely to provide: 29 x The statutory basis for establishing the regulatory body; x The legal basis for ensuring the realisation of nuclear power plants without undue radiological risk; x The regulatory body with the power to establish and enforce regulations with respect to nuclear safety; x The financial indemnification in case of severe accident (this is closely associated with third party liability); x The regulatory framework for radiological protection of persons of the population and of workers as part of public health for all sources of ionising radiation and establish the corresponding surveillance body within the governmental organization. The legislation must also establish whether the regulatory body in charge of nuclear safety should also be responsible for the surveillance of “on-nuclear” sources of ionising radiation. 1.3.2.3. Regulatory body The term “regulatory body” is used in the IAEA Standards to define an authority or a system of authorities designated by the government as having legal authority for conducting the regulatory process, including issuing authorizations, and thereby regulating nuclear, radiation, radioactive waste and transport safety. It includes the national competent authority for the regulation of radioactive material transport safety. The number of authorities which comprise the regulatory body and the relationships between them depends on the overall organization and traditions of a state’s administration. For any regulatory body, a prerequisite for discharging the responsibility for state's surveillance is total independence of judgement and of regulatory decision. Therefore, the regulatory body cannot bear other responsibilities, particularly responsibilities that could conflict with safety concerns. In discharging its responsibility for safety, the regulatory body has to endorse regulatory functions and to perform regulatory actions. This includes establishment and implementation of the regulatory framework, assessment of safety, licensing decisions, inspection and enforcement; evaluation of the feedback of experience; keeping abreast of the state of the art in science and technology; public information. This will be discussed in more detail in Section 2 as well as in all other Sections. 1.3.2.4. The industry (electrical utilities, operating organizations, manufacturers/suppliers) Under this designation, the industry is a complex set of different organizations made up of the operating organization, of the designer and constructor of the nuclear reactor, of various suppliers, of industrial organizations doing work under contract for the operating organization etc. The industry is in charge of realising the nuclear energy programme and, in so doing, has the duty to propose ways and means to attain the programme's objectives (and also the freedom to propose adequate technical solutions). But, by so doing, the industry is responsible for setting its projects within the legislative and regulatory framework and will also be responsible for respecting the requirements as well as limits and conditions imposed by the regulatory body for safety reasons. 30 It is important to note here that, depending on the basic legal system of the state the industry may be either a state or governmental institution (state economy) or a group of private or corporate enterprises (market economy). In both cases, but particularly in the former case, the legislative framework should ensure real independence of the regulatory body from the industry. It is clear that the operating organization has an essential and central role and, therefore, bears an important responsibility. This has been largely and internationally recognised and is reflected in several fundamental IAEA publications and, last but not least, this has been explicitly formulated in the Convention on Nuclear Safety (Article 9). In short, one basic principle is: “The operating organization bears the prime (or overall) responsibility for safety”. Because this prime responsibility cannot be delegated the operating organization assumes globally the sum of “partial responsibilities” attributed to designers, constructors, suppliers, etc. during the realisation of the project (or programme). This requirement is implicitly mentioned in the national legislation of many countries. This sets also the framework for dealing with the important question of civil liability: only the operating organization can and has to be declared civilly liable. 1.3.3. Nuclear safety legislation 1.3.3.1. Distribution of regulatory requirements between laws, regulations and guidelines Establishing and amending laws lies in the competency of the parliament: once they have been approved and put into force, the laws constitute a stability factor as it takes time and effort to modify them (needing a new discussion in parliament); they are therefore also somewhat inflexible. Lower tier legislation is usually enacted by the government in its own competencies and does not need parliamentary approval, but it may also take time and effort to amend them or to prepare new ones. This is a reason for avoiding fixing too many details in the legislation; the law should be limited to establish the general frame in which a set of activities is allowed and made possible, as well as to provide for governmental supervision. Regulations are promulgated at a lower level. Usually, ministries or other designated governmental bodies are competent to prepare and edict regulations; at that level, it is easier to amend an existing regulation or to promulgate a new one: this is the flexibility factor needed to keep pace with the development of new knowledge and the feedback of experience. Some administrative regulations are necessary to establish the rules for the licensing process. Should a regulatory body feel the need to influence the proposals and the choice made by applicants and to produce some guidance, the intermediate stage of guides (they are not mandatory) is usually useful, because it would still be easy to accommodate other technical solutions, should they be better or more suitable from the applicant viewpoint than those suggested in the guidelines as well as, of course, acceptable for the regulatory body. The objective of the legal system is double: To allow the performance of activities within an acceptable frame and to ensure that these activities are conducted in such a way as to avoid unacceptable consequences. 31 1.3.3.2. Law and lower tier legislation The law should be short and very general in order to cover many situations, particularly situations which are not yet actual or even not yet known, without modification of the law. It should establish the general frame in which a set of activities is allowed and made possible as well as to be supervised. It should also give the power to the government to enact further and more detailed lower tier legislation (ordinances, governmental decrees, etc.) as well as to other governmental bodies (especially to the regulatory body for nuclear safety) the competency to promulgate relevant and specific regulations. For the states having the level of lower tier legislation in the competency of the government, it will be necessary to decide whether and which regulatory requirements should be introduced in this legislation or, alternatively, should be expressed as regulations enacted by the regulatory body. 1.3.3.3. Regulations and guides — their nature and number The difference between regulations and guides is clear and concerns above all the form given to such regulatory documents, not their content: by definition, regulations are mandatory and guides are non-mandatory. The development of regulatory tools leads to two categories of regulations and guides: administrative (e.g. defining procedures for conducting the licensing process in an orderly manner) and technical, e.g. setting particular principles, requirements or provisions which applicants have to satisfy (regulations) or suggesting ways of attaining the safety objectives (guides). For dealing with administrative (or managerial) aspects of the licensing process, a regulatory body will have to develop regulations rather than guides for obvious reasons: such regulations will set the rules of procedure and they have to be applied by all those concerned; they have therefore to be mandatory. Such administrative regulations would deal with subjects such as: statute and organization of the regulatory body, rules of the licensing process, formal duties of the applicant(s), financial aspects, etc. They are necessary at an early stage of the licensing process, before the first application is introduced because they give the rules of engagement and they make it easier for the regulatory body to manage the licensing process; the applicant(s) should know and follow them from the beginning. Concerning the technical level, both categories, regulations and guides, have to be considered; being based on the overall safety objectives, they will prescribe (regulations) or suggest (guides) ways or elements such as derived safety objectives, derived principles to be used in design or operation, requirements and criteria, relation to industrial codes and standards, etc. necessary or appropriate to satisfy these objectives. 1.3.3.4. The legal pyramid The legal system of a country may comprise all or most of the following elements which, by their nature, appear at an appropriate level in the hierarchy of legal documents: act(s), lower tier legislation (e.g. ordinances, decrees), regulations, guides, international and industrial standards. A graphical presentation of these elements can show their level in the legal hierarchy and indicate their number. The box on the top will contain acts. Underneath, there will be the larger box containing all lower tier legislation (ordinances, decrees, etc.). Further down, we have the still larger boxes for the many regulations and below that box there is a box 32 containing regulatory guides. At the bottom there is the largest box containing international and industrial standards. It is obvious that this pile of boxes of increasing size with the largest at the bottom and the smallest at the top takes the form of a pyramid, thus the name of “legal pyramid”. The graphical presentation of legal elements has been used quite frequently and two examples are given in Figures 3 and 5. 1.3.4. National and international institutions for matters of standardization In addition to the IAEA Safety Standards a lot of international and national institutions create technical standards. Examples of such institutions are the International Organization for Standardization (ISO) or the International Electrotechnical Commission (IEC). The co-operation between the IAEA and some important international institutions is well — regulated, for instance in the “Memorandum of Understanding between the IAEA and the ISO”. It reads: “The ISO recognises the responsibilities of the IAEA ... in particular with regard to the establishment of standards of safety for the protection of health ... which are primarily addressed to national regulatory bodies”. And corresponding: “The IAEA recognises the responsibilities of the ISO as a specialized international institution for matters of standardization, having as its objectives the facilitation of international exchange of goods and services...” In practice this co-operation is managed by “liaisons”. The technical committees of the standard organization nominate related committees in other organizations and a liaison officer is delegated to those committees. Examples for national institutions are the American Nuclear Standards Institute (ANSI), American Society of Mechanical Engineers (ASME), the German Nuclear Safety Standards Commission (“Kerntechnischer Ausschuß, KTA”) which is presented in some detail later, the DIN “Deutsches Institut für Normung e.V.” or the “Association Francaise de Normalisation AFNOR” in France. In this way a complete global framework of safety standards and technical specifications is created by the IAEA and the institutions for matters of standardization. In each country there are a legal framework and national authorities. The common features are: x The existence of a clear statutory and legal framework for nuclear regulation; x The establishment of the basic industrial, technological, and human resource infrastructure necessary to ensure nuclear safety; x An unambiguous recognition that the prime responsibility for the safety of a nuclear installation rests with the holder of the licence (i.e. the operator of the installation); and x A national commitment to safety as the fundamental requirement for a nuclear programme. Independent of those common features there are differences in the history, development, current structure and scope of responsibilities of various national nuclear regulatory bodies. It is therefore the duty of the national nuclear regulatory body to find a 33 specific way to fulfil fundamental safety objectives and to meet technical and policy challenges on the basis of the national and international safety standards. 1.3.5. Types of regulatory guidance To establish a clear regulatory guidance the national authority usually uses the whole spectrum of possibilities that are included in the national pyramid of the legal framework. That means, in accordance with the hierarchical structure of the IAEA Safety Standards, consisting of Safety Fundamentals, Safety Requirements and Safety Guides, the authority will develop ordinances, guidelines or recommendations, depending on the subject which is treated. These ordinances, guidelines or recommendations usually have different audiences. They could be mandatory for everyone, they could be mandatory only for the administration or they could be just recommendations of a group of experts with a non-mandatory nature. Nevertheless, these recommendations could obtain great practical importance, as the licensing authorities usually demand the proof of their fulfilment within the scope of the safety assessment. These different documents are established in different procedures. They could be enacted by the government, promulgated by the authority or just published by the authority. Depending on the kind of document the preparation takes place with or without the participation of the public. Safety standards and the way in which those are treated are part of the safety culture of a country. The approaches vary, but three general types of regulatory guidance can be observed. They are described in an IAEA Bulletin [1]: “Compliance-based” regulation. This approach typically involves the regulator providing prescriptive standards and requirements — the same for every plant — for operators to follow. In this regime, inspection and enforcement are largely a matter of verifying compliance with these rules and penalising non-compliance. The KTA safety standards are an example of this type. They are presented in detail in 1.4.2.3. “Performance-based” regulation. In this approach, licensees are required to comply with safety objectives, but have some flexibility to decide how they achieve that. Safety performance indicators are used by the regulator to observe trends in safety, and inspection activities focus on these indicators. A difficulty with this approach, however, is that the indicators used can be manipulated (i.e. efforts may be devoted to improving the indicators, rather than improving safety itself). Furthermore, it is difficult to find safety performance indicators that are predictive — i.e. that can be used to identify potential problems before they develop into real ones — and therefore this approach remains essentially reactive. As an example, one consequence of improving safety culture may be an increase in the number of safety related “events“ or problems reported, as the result of better reporting by staff. It is important that regulators (as well as managers) are able to distinguish a positive trend of this type from a negative one in which more problems are occurring because of deteriorating safety performance. This requires a more sophisticated approach to inspection than simple “incident counting”, and more positive safety indicators may be of value. An example of this type is the NRC maintenance rule. The US Nuclear Regulatory Commission has begun a transition from the prescriptive regulations of the past to a more risk and performance based approach which takes into consideration risk and plant performance. 34 10 CFR 50.65, requirements for monitoring the effectiveness of maintenance at nuclear power plants” is an example of a performance based rule that mandates consideration of risk and plant performance. This type of regulation gives each licencee the flexibility to determine the most efficient and effective way to meet the requirements. The increased use of risk and performance based regulation is made feasible by the continuing refinements in methods for analysing and quantifying risk through the use of PSA and improvements in the evaluation and analysis of plant and equipment performance data through licensee programmes such as nuclear plant reliability data system (NPRDS), plant performance indicators, and those mandated by the maintenance rule. An example for the formal establishment of a reporting system is the German “Nuclear Safety Officer and reporting ordinance” or the Finnish guide YVL 1.5 “reporting nuclear power plant operation to the Institute of Radiation Protection”. Process-based regulation (or integral supervision of nuclear power plants). This approach takes specific account of the fact that the safe operation of nuclear facilities depends on the effectiveness of the organizational processes established to operate, maintain, modify, and improve a facility. Briefly put, the process approach focuses on the organizational systems that the facility has developed to assure the ongoing safe operation from the perspective of the facility’s internal logic. It recognises that the design of organizational processes must remain flexible in order to allow the facility to create processes that are internally consistent, adapted to their history, culture and business strategy, and that allocate resources in the most rational way. A process based approach attempts to allow this flexibility while forcing the facility to think very carefully about the logic of their processes. It demonstrates to the regulator that they have taken a very rigorous approach to the design, implementation, and ongoing evaluation of their key processes and that they are alert to opportunities to improve their systems. A combination of the above three approaches can be used, since they are not mutually exclusive. An example of this kind of regulation is the new KTA working programme “KTA 2000”. In this new programme all German requirements concerning nuclear safety are classified in three levels, similar to the structure of the new IAEA Safety Standards series. Notwithstanding the paramount importance of regulations and standards, they need to be implemented on the management and working level within an integrated approach to national and international “safety culture”. 1.3.6. Safety criteria for nuclear power plants Safety criteria are a means to help implementing safety principles and requirements. Safety criteria indicate the way (or one of the ways) to satisfy a principle or a requirement. Nature of safety criteria may be technical, administrative, organizational, etc. and it can be qualitative or quantitative. It can be relevant to engineering, to radiological protection, to manmachine-interface (human factors), or to physical protection, etc. Safety criteria may be established either by the regulatory body or by the applicant/licensee: 35 x In the non-prescriptive approach, the applicant/licensee proposes a set of safety criteria by defining them and using them in its application; these safety criteria are eventually approved, modified or rejected by the regulatory body after review and assessment; x In the prescriptive approach, safety criteria are established by the regulatory body; they can be established as regulations (they are then mandatory) or as guidelines (they indicate in this case how the regulatory body intends to conduct the review and assessment process); they have to be available early enough in order to be considered by the applicant/licensee and its suppliers in preparing the application. The regulatory body is responsible for ensuring that an adequate and complete set of safety criteria is available and that each applicable criterion is or will be satisfied. Safety criteria are necessary for, and applied during, each phase of the licensing process, namely: siting, design, construction, operation, decommissioning as appropriate. Safety criteria should not only be compatible with, but should express the way to implement internationally agreed basic safety objectives and their supporting fundamental safety principles. A systematic approach to establishing a coherent set of safety criteria may be to consider all fundamental safety principles enunciated in safety fundamentals [8] as presented in 1.1.5.2 or the derived principles presented by INSAG [7] (basic safety principles, namely: 3 fundamental management principles, 3 defence in depth principles, 6 general technical principles, 50 specific principles). Another approach may be based on the set of safety criteria in force in the country of origin of the reactor and on a complementary check against the above mentioned safety principles. Each principle or, respectively, each requirement is the source of at least one criterion, but mostly of several complementary safety criteria, usually to be considered at the different stages of the licensing process (siting, design, construction, commissioning, operation, decommissioning). 1.3.6.1. Examples of safety criteria The siting and design requirements are presented by the IAEA in its requirements documents on siting and design [3, 5]. The most well known national example of safety criteria is given by the US NRC in the Code of Federal Regulation (CFR), in particular in title 10 “Atomic Energy”, Part 50 “licensing of production and utilisation facilities” with its Appendix A “general design criteria for nuclear power plants” (64 criteria). Another, more recent example is the decision of the council of state of Finland on the general regulations for the safety of nuclear power plants (1991), (27 sections containing criteria). In Germany details concerning the legal provisions set out in the Atomic Energy Act and the Radiation Protection Ordinance are given by the safety criteria. They contain the safety principles to be applied during design, construction and operation of NPPs in order to ensure that the provisions against damage are taken in accordance with the present state of science and technology. The safety criteria consist of 11 paragraphs containing 33 criteria. Examples of the subjects covered are: testability, exposure of the environment to radiation, effects of load combinations due to external events; protection against fire and explosions; residual heat removal after loss of coolant; external hazards; heat removal from the containment, single failure criteria and its application etc. 36 In Switzerland the overall safety objectives are formulated in an indirect way in the Atomic Energy Act. There are only very few technical requirements in regulations. But the Swiss Safety Authority (HSK) makes use of regulations and guidelines from the countries of origin of the reactors (USA and Germany). The Inspectorate will develop its own guidelines only if it has a different opinion on specific aspects or if it will apply more stringent requirements than those in force in the country of origin. Translated extract from the Atomic Energy Act (1959) states: The application for construction, operation or modification of a nuclear installation shall be supported by a detailed technical report (safety analysis report). The licensing authority shall obtain an (independent) expert's opinion (safety evaluation report) showing, in particular, whether the project includes all measures that can be reasonably required for the protection of individuals, of third party property or of important rights. A summary of safety objectives is given in the Booklet presenting the HSK: “Nuclear installations must be constructed and operated such that the safety of the operating personnel, the general public and the environment is maintained.” 1.4. ILLUSTRATION THROUGH NATIONAL EXAMPLES [15] 1.4.1. Finland 1.4.1.1. Governmental organization Nuclear Energy and Radiation Protection Acts and Decrees define the regulatory framework in Finland. General safety requirements are given by decisions by the state council (i.e. cabinet of ministers). Responsibility on nuclear safety rests on the licensee. The governmental is presented in Fig. 3. Radiation and Nuclear Safety Authority — STUK is an independent regulatory organization for regulating and reviewing nuclear and radiation safety. Administratively (e.g. concerning budget matters) STUK is under the Ministry of Social Affairs and Health. Licence applications for nuclear facilities are handled by the Ministry of Trade and Industry. STUK gives its statement on the safety of nuclear facilities when licensing is concerned. MINISTRY OF SOCIAL AFFAIRS AND HEALTH - administrative authority for the use of radiation STUK - RADIATION AND NUCLEAR SAFETY AUTHORITY - independent regulatory and research organisation MINISTRY OF TRADE AND INDUSTRY - administrative authority for the use of nuclear energy MINISTRY OF THE INTERIOR - protection of the general public in emergency conditions MINISTRY OF FOREIGN AFFAIRS - nuclear safety in regions surrounding Finland Ministry of Environment Ministry of Defence Ministry of Transport Ministry of Agriculture Finnish Meteorological Institute Customs Authority National Food Administration FIG. 3. Finland — governmental organization. 37 1.4.1.2. Hierarchy and development of regulatory guidance in Finland Hierarchical levels of guidance In Finland the relevant legislation is the Nuclear Energy Act and Decree, the Radiation Act and Decree and the Nuclear Liability Act, as well as the Act and Decree on STUK. These acts and decrees define the regulatory framework in Finland. (See Fig. 4). Typically the following topics are presented in the Nuclear Energy Act: general principles, overall good of society, safety, nuclear materials, waste management, physical protection, explosives, licensing, supervisory authority, sanctioning etc. In Finland the council of state gives general regulations concerning safety, security and emergency preparedness. These regulations are mandatory. It is STUK’s responsibility to prepare these regulations, except for the regulation concerning public rescue services, which are prepared by the Ministry of the Interior. So far, following general regulations exist: x The decision of the Council of State on the general regulations for the safety of nuclear power plants (395/1991); x The decision of the Council of State on the general regulations for the safety of a disposal facility for reactor waste (398/1991); x The decision of the Council of State on the general regulations for the physical protection of nuclear power plants (396/1991); x The decision of the Council of State on the general regulations for the emergency response arrangements at nuclear power plants (397/1991). Acts, Decrees Decisions by the Council of State YVL-Guides Industrial and International Standards etc as basis for applications (IAEA, ASME, ANSI, KTA, DIN etc) FIG. 4. Hierarchy of regulations and standards in Finland. Detailed regulations and regulatory guides (YVL guides) are issued by STUK. The Nuclear Energy Act gives a mandate to STUK to issue detailed technical and administrative guidance. YVL guides now include about 65 guides in the following eight series: x General guides; x Systems; 38 x x x x x x Pressure vessels; Civil engineering; Equipment and components; Nuclear materials; Radiation protection; Radioactive waste management. The list of YVL guides is presented in Appendix V. More than 30 guides have been revised in the period 1992–1997. The guides are also translated into English. These guides are rules, which the licensee shall comply with, unless STUK has been presented with another acceptable procedure or solution by which the safety level laid down in the YVL guides is achieved. The actual YVL guides are available in English through Internet at the site www.stuk.fi/english/publications. Developing regulatory (YVL) guides Through YVL guides, STUK shows the utilities the required safety level and the regulatory body’s supervision and inspection practices. Issues handled in the YVL guides therefore cover plant design and operation as well as regulatory control and inspection related topics. YVL guides give design criteria for systems, components and structures of NPP (e.g. YVL 1.0, YVL 2.1, YVL 2.7, YVL 3.1, YVL 4.1, YVL 5.5). They give guidance on accident analysis, PSA and respective design criteria (e.g. YVL 2.2, YVL 2.8). They provide guidance on administrative and organizational issues like QA, document control, training and qualification, safety committee practices (e.g. YVL 1.4, YVL 1.9, YVL 1.7, YVL 1.6). They give guidance on commissioning, testing, operation of NPP´s, event investigation, reporting to the STUK (e.g. YVL 2.5, YVL 1.5, YVL 1.11). They give guidance on plant modifications, repair work, maintenance, in-service inspection, outage control (e.g. YVL 1.8, YVL 1.13, YVL 3.8). They provide guidance on radiation protection, physical protection and waste management (e.g. YVL 7.1, YVL 8.1). With such guidance there will be no surprises to the utilities if new NPPs or plant modifications are planned or if operational practices are changed. The development of YVL guides contains the following phases. The decision is made that a new guide is needed, a working group is formed, and a schedule agreed. The outcome is draft 1, prepared by the working group. IAEA Safety Standards are taken into account when Finnish regulatory guides are written. Draft 1 is then sent for internal comments within STUK, and the outcome is draft 2. This is then sent for external comments to power companies, etc. and the outcome is draft 3. This is presented to the STUK nuclear safety department management meeting for approval, and the final draft 4 is sent for comment to the Nuclear Safety Advisory Board. After considering their comments the guide is brought into force by the Director General of STUK. Internal regulatory guidance (STUK) STUK’s administrative and YTV quality manual defines working practices inside the regulatory body. The emergency plan for STUK defines tasks and working procedures for all departments concerning accident situations. YTV guides prepared by the nuclear reactor regulation department and collected into the YTV quality manual define working and inspection practices in the supervision of NPPs. General inspection procedures prepared for 39 the periodic inspections are included in the YTV quality manual and detailed procedures for each inspection are collected in a specific folder. Responsibility for the upkeep of the inspection procedure lies with the inspector who has the main responsibility for the inspection in question. Example of guidance (criteria for assessment during licensing phase) The Nuclear Energy Act and Decree define the necessary steps, e.g. stages of licensing process of nuclear facilities (decision in principle, construction permit, operating licence) and licensing documents. General design criteria for the NPP are given in the decision of the council of state. YVL guide 1.1 [16] defines the regulatory body’s role in licensing and commissioning. Detailed guidance for safety review and commissioning is given in YVL guides. General design criteria define the safety level and form a basis for safety assessment review reports. YVL 1.1 provides administrative details; the what, when and how for the regulatory body and for the utility. YVL guides 2.2, 6.2, 7.1 and 2.8 give criteria for accident analysis and PSA. YVL 1.0 covers plant design. YVL 2.1 covers safety classification. YVL 2.7 covers failure criteria. YVL 1.4 covers QA. YVL 2.5 covers pre-operational and start-up testing of NPP. YVL guides 3.0–3.9 handle pressure vessels. YVL guides 4.1–4.3 handle concrete and steel structures. YVL guides 5.3–5.8 handle other equipment like valves, pumps, automation, ventilation, etc. YVL guides 7.1–7.18 handle radiation protection and emergency planning and preparedness. YVL guides, group 6 covers nuclear materials. YVL guides, group 8 covers nuclear waste management. International standards provide background information on recommended practices such as the IAEA Safety Standards series. ASME, ANSI, USNRC regulatory guides, etc. provide one good national example. US NRC standard format for PSAR/FSAR and standard review plans provide a model for the assessment of safety reports. 1.4.2. Germany 1.4.2.1. Governmental organization As indicated by its name, Germany is a Federal state. The Federal Constitution therefore contains detailed provisions on the legislative and administrative competencies of the Federation (Bund) and the individual states (Länder). Pursuant to the Federal Act of 1959 on the Peaceful Uses of Atomic Energy and Protection Against Hazards (Atomic Energy Act) the supreme authorities of the Länder, designated by their governments, are competent for the granting, withdrawal and revocation of licences for nuclear installations. The Atomic Energy Act empowers the Bund to issue ordinances and general administrative regulations that are mainly implemented by the Länder acting on behalf of the Federation. The federal control and supervision relate to the legality and expediency of the implementation of the Atomic Energy Act by the Länder. The competent authorities of the Länder are subject to the directives of the competent supreme federal authority, in this case, the Federal Ministry for the Environment, Nature Conservation and Nuclear Safety (BMU). The governmental organization is presented in Fig. 5. 40 1.4.2.2. Application of safety legislation: licensing prerequisites in Germany [17] According to German law, nuclear facilities may not be built and put in operation before a state licence has been granted. The purpose of this governmental control is to achieve the best protection possible against the dangers of nuclear energy. The safety philosophies presume that a nuclear facility represents a man-machine-system. For this reason, the German Atomic Energy Act stipulates that both facility and personnel must meet stringent requirements. The applicant has to fulfil the following licensing prerequisites in order to obtain a licence: x Personal licensing prerequisites: the applicant and the management personnel have to be reliable, and the operating personnel have to have sufficient technical knowledge; x Licensing prerequisites related to the facility: the facility has to be designed in such a way that necessary provisions against damage due to the construction and operation have been made in accordance with state-of-the-art science and technology, sufficient protection against sabotage from outside has to be guaranteed, the location has to be chosen in keeping with ecological standards, and there needs to be sufficient provision to meet any legal liability for damages. Federal Ministry for the Environment, Nature Conservation and Nuclear safety (BMU) Advisory Committees: Reactor Safety Commission (RSK) Comm. of Radiological Protection Further Federal Ministries Expert Organisations: GRS Federal Office for Radiation Protection Länder Ministry in Charge of Licensing, Supervision and Inspection of Nuclear Installations Further State and Local Authorities General Public Expert Organisations: Technical Inspection Agencies (TÜV) Experts on Non-Nuclear Issues Applicant / Licensee FIG. 5. Germany — governmental organization. 41 Reliability of applicant and personnel The applicant and management staff have to be especially reliable. The plant manager, department or sub-department heads, the responsible shift personnel (shift supervisor and deputy shift supervisor) as well as reactor operators and radiological protection officers a part of the management staff have to ensure they manage the hazardous technology with diligence and in a fail-safe manner. The examination of reliability requires an overall assessment of the person in question which also takes into account his/her general behaviour. The examination of reliability also includes evaluation of the physical and psychological aptitude for special activities, besides personal integrity. Before being employed at a nuclear power plant, the personnel will be subject to a security clearance. Technical qualification of personnel The second licensing prerequisite related to personnel concerns the proof of technical knowledge. The management personnel have to furnish proof of special technical knowledge and other operations personnel have to furnish proof of adequate knowledge of safe plant operation and of the possible dangers and the protective measures to be applied. Prevention of damage The most important licensing prerequisite concerns the plant itself. It stipulates that precautions are taken against damage resulting from construction and operation of the plant according to state-of-the-art science and technology. This means that the plant design has to correspond to the latest developments in both science and technology in order to practically eliminate damages. During examination of the damage prevention measures for their correspondence to the latest scientific developments, the licensing authority may not rely on the prevailing scientific opinion, but has to consider all demonstrable scientific findings. If the required precautions corresponding to the most recent scientific knowledge cannot be taken, the licence must not be granted. In addition, the topics of defence in depth-concept are mentioned as design prerequisites (see Section 3). Sabotage protection Further to the main plant-related licensing prerequisite, which is accident prevention, the applicant has to furnish proof of protection against interference and other impacts by third parties. This means, above all, protection against acts of sabotage. Ecology The applicant has to demonstrate that the choice of plant location does not conflict with public interests, especially with regard to environmental impact. Before a licence is granted, thorough examination has to be made to answer whether or not another location is to be preferred because of ecological aspects. For this purpose account must be taken of the impact of the plant on the environment, in particular on the ground water, climate and air, but also on soil, animals and plants, nature and landscape as well as on cultural and material goods. In addition to these environmental goods, contingencies, such as flood, earthquake etc. have to be considered when choosing the location of the plant. 42 Financial security The applicant also has to demonstrate that he is provided with the required financial coverage to meet the legal liability for damages. This provision has to be made in case third persons are harmed by an accident at the plant despite the safety measures taken. In this case, the operator will be held liable for the total damage without limitation. For this purpose, the operator has to furnish proof of the so-called financial security to meet legal liabilities. The authority stipulates the manner and extent to which security has to be provided. In most cases, the proof will be furnished by a third party insurance which pays the damages for which the operator is responsible. Currently, the total of financial security e.g. for a nuclear power plant is 500 million DM. If this amount should be exceeded in the event of an accident the state is obliged to indemnify the operator against liability up to 1 billion DM. Beyond this amount, the operator is held liable to the extent of his property. 1.4.2.3. The German KTA nuclear safety standards The German Nuclear Safety Standards are an integral part of the well known pyramid formed by laws, ordinances, guides, standards and codes (Fig. 6). The author of the Atomic Energy Act and the Ordinances is the legislative power, which is the parliament and the Upper House of the Federal Parliament (Bundestag, Bundesrat). The author of the German Nuclear Safety Standards (KTA standards) is the Nuclear Safety Standards Commission (KTA). The Nuclear Safety Standards Commission (KTA) was established in 1972 and to date 86 Nuclear Safety Standards have been issued. Atomic Energy Act Ordinances Safety Criteria and Safety Standards (KTA-Standards, Regulatory Guides and RSK-Guidelines) Technical Standards (DIN-Standards) FIG. 6 . Hierarchy of regulations and standards in Germany. KTA consists of 50 members representing the German nuclear community, i.e. in five groups of ten members each, the manufacturers, the utilities, the atomic licensing and supervisory authorities, the safety reviewing organizations and another group of miscellaneous (nuclear) interests. The KTA’s objective is to establish safety standards for all kinds of nuclear facilities, primarily, however, for nuclear power plants. These safety standards reflect the common 43 opinion of the five groups and are based on actual experience gained during the licensing, construction and operation of nuclear facilities. Managed by a board with one member from each of the first four above mentioned groups, the KTA decides in which fields safety standards are to be established. KTA-accepted drafts of these standards are published and, at the end of a three-month period, reviewed taking into consideration comments from the public. Final standards are then made public by the German Federal Ministry for the Environment, Nature Protection and Nuclear Safety (Bundesministerium für UMW(e)lt, Naturschutz und Reaktorsicherheit) and are thus put into effect. After a maximum of five years, an issued nuclear safety standard is reviewed to see if it still represents modern practice or if modification proceedings have to be started for this nuclear safety standard. Day-to-day business of the KTA is carried out by the KTA-secretariat. The head secretary of the KTA-secretariat is directly responsible to the board of the KTA. Nuclear safety standards are prepared by KTA-subcommittees as well as by specially appointed groups of experts, utilizing all national and international efforts of standards organizations involved in the field of nuclear technology. All work is carried out under the close supervision of the KTA-secretariat. This kind of organization reflects an old German tradition. It is the idea of cooperation between the governmental authorities and the private industry, all being equally entitled, at least at the level of safety standards. The advantage of such a structure is the high expertise of its members. A disadvantage is a certain heaviness in the decision process. 1.4.2.4. Qualification requirements of German NPP personnel Legal requirements The German Atomic Energy Act states that a licence to operate a nuclear installation may be granted only if — among other prerequisites — the subsequent requirements are met for the responsible and for subordinate operating personnel category: x No facts shall be known that give rise to any doubt as to the reliability of the personnel responsible for the management and control of operation of the installation (responsible operating personnel), and these personnel shall have the requisite competence. x It is ensured that the persons who are otherwise engaged in the operation of the installation (subordinate operating personnel) have the necessary knowledge concerning safe operation of the installation, the possible hazards, and the safety measures to be applied. The following functions are carried out by the responsible operating personnel: station superintendents, nuclear safety commissioners, radiation protection commissioners, operation superintendents, maintenance superintendents, technical superintendents, training officers, physical protection commissioners, shift supervisors, control room operators and their respective alternates. For these personnel the legal qualification requirements cover reliability and requisite competence. The subordinate operating personnel category comprises all 44 personnel engaged in operation who are not included among the aforementioned responsible personnel. For these personnel only a clearly defined amount of necessary knowledge concerning plant safety and safety of the personnel, related to their respective tasks and working places, is required. Guidelines regarding qualification requirements The licensing requirements of the Atomic Energy Act concerning the qualification of personnel have been further specified for nuclear power plants in guidelines: x Guideline for the proof of the requisite competence of personnel at nuclear power plants; x Guideline for the content of the examination of the technical qualification of responsible shift personnel at nuclear power plants; x Guideline for programmes for the preservation of the technical qualification of responsible shift personnel at nuclear power plants; x Guideline for the ensurance of the necessary knowledge of subordinate operating personnel; x Guideline for the technical radiation protection commissioners at nuclear power plants and other facilities for fission of nuclear fuel; x Guideline on requirements regarding the physical protection commissioners and security guards at nuclear facilities of category I; x Guideline for the security screening for trustworthiness of personnel at nuclear installations, during the transport and use of nuclear material and high-level radiation sources. Responsible operating personnel The verification of the requisite competence of the responsible operating personnel is mainly based upon performance evaluation rather than upon special examinations. The documentation of each responsible operating personnel shall proof, that the respective employee has: x A basic professional qualification; x The requisite safety-related knowledge; x The ability to specify, initiate and carry out all measures and actions necessary for the safe operation of the plant; x A minimum practical experience (between 6 months and 3 years); x Special nuclear, plant-specific lectures and in-plant technical training; x Full-scope simulator training (8 weeks for PWR, 7 weeks for BWR); x Successful completion of a written and oral examination; x Special didactic training for training officers. 45 Most of the safety-related nuclear fundamentals are taught to shift supervisors and control room operator candidates in special courses at nuclear training centres which administer final exams. All training centres have adopted a model-catalogue of about 2000 questions and sample answers for the written exams. The oral exam, administered by a special board of examiners has to be taken individually. Shift supervisors, their alternates and control operators have to take a written and an oral examination at their respective plant. The examination is held by a board of examiners which consists of three members of the responsible operating personnel category of the plant, two outside experts under contract of the authority, and one representative of the competent authority. No examination is required at a simulator. However, the simulator training personnel have to evaluate, to document and to testify to the training success for each trainee, including a compilation of possible weakness or deficiencies in knowledge and ability. A responsible representative of the respective nuclear power plant, to which the shift operating crew being trained belongs, will accompany the shift crew and will closely observe his personnel and their training results. Requalification requirements The licensing requirement concerning the competence of responsible operation personnel implies the obligation of the licensee to keep the competence of his employees at the level defined by the current state of science and technology throughout their working life. The licencee has to provide for regular retraining activities, for instance in-plant lectures, external training courses, simulator training (up to 20 days within 3 years). The success of the retraining activities shall be monitored and documented by the plant management, and has to be demonstrated to the competent authority upon request. For extended plant outages the requalification programmes have to be intensified and modified, taking into account the current plant state and the activities which could not be carried out because of the plant outage. Reliability requirements The Atomic Energy Act requires that no known facts shall give rise to any doubt as to the reliability of the responsible operating personnel and this personnel have been security screened for trustworthiness. The security screening procedure is repeated every five years for all personnel. Requirements regarding the qualification of subordinate operating personnel For subordinate operations personnel (all personnel not belonging to the responsible operating personnel category) only the necessary knowledge concerning safe operation of the plant, possible hazards, and safety measures to be applied is required by law. This necessary knowledge depends upon the characteristic of the plant and the respective function or responsibility of the personnel, and on the number of other subordinate personnel supervised. The specification of the necessary knowledge is complicated by the fact that subordinate personnel from one day to the next may be assigned to tasks with different nuclear safety implications, under different working conditions and during major inspections even together with hundreds of off-site personnel who do not know the plant well. Therefore, for 46 subordinate personnel the necessary knowledge has to be specified in a flexible way in order to allow for adaptation to various parameters. The following requirements concerning the insurance of the necessary knowledge have been specified: x All subordinate operating personnel shall receive instructions covering safety-related knowledge and its application to their everyday work; x They shall receive a special briefing at the respective working place prior to the commencement of work; x They shall have professional qualification and practical experience. For all activities that are regularly carried out by subordinate personnel the licensee shall assign personnel to one of the following categories, according to their level of responsibility (it is understood that category “A” to “D” personnel in general are executing instructions given by responsible operating personnel): A: Personnel who plan activities that may have bearing on the safety of the plant or on its safe operation, or who co-ordinate the preparation or execution of such activities; B: Personnel who operate and control important systems like turbine, ventilation systems, cooling water systems from a central position within the scope of the operating instructions or the instructions of the shift supervisor; C: Personnel who execute work or inspections and tests on items important to safety, or who substantially participate in the preparation or execution of such work; D: Personnel who execute narrowly defined activities in support of work executed on items important to safety, or who cannot affect the safety of the plant or of its operation because of the type of and the restrictions on their respective tasks. The minimum training shall take at least two hours and be repeated every year; it is meant for subordinate personnel of category “D”. The maximum training for subordinate personnel shall take several weeks and be repeated every three years; it is meant for personnel with supervisory functions and whose working activities may have direct effects on safety, like personnel of category “A” or “B”. As a last step, the licensee has to specify in a training programme which set of lists on safety-related knowledge will be the basis for training of a specific category of subordinate personnel. All subordinate operating personnel are submitted to a security screening process for trustworthiness. This security screening is an important precaution against sabotage by undercover agents. The extent and intensity level on the security screening will depend upon the plant areas, to which the specified person has access, and upon the ability of that person to jeopardise plant safety. (off-site) personnel not having undergone this screening process have to be escorted permanently by personnel having a security clearance. For off-site personnel the instructions concerning the safety-related knowledge may cause some problems, especially when such personnel are needed at short notice or when time is not available for providing these instructions. In these cases, such off-site personnel will 47 only be allowed to start working when they have received a special briefing and when an experienced permanent supervisor has been assigned to them, who has the necessary safetyrelated knowledge. Conclusion The fact that detailed requirements regarding the qualification of operational personnel have been specified by the licensing authorities does not guarantee this qualification. It is the licensee’s obligation and his sole responsibility to train his personnel, to keep them optimally qualified at any time and to adjust this qualification to any change in the state of science and technology. He is the only one capable of transforming the regulatory requirements into operation-oriented training objectives which take into account the constraints and needs of the actual tasks to be accomplished. There should be close communication between the competent authority and the licensee whenever qualification requirements are to modified, in order not to destroy the licensee’s motivation to apply them meaningfully. It has to be kept in mind that it is not only the qualification of the operating personnel which has an important influence on the human contribution to plant safety. Whether a man will influence the course of any accident sequence in a positive way or not, will strongly depend on his qualification; his success will also be determined by the design of the control room, by his working environment, by the design of working cycles and working aids, and by his motivation. The objective of all efforts to optimise the contribution of the “human factor” to the safe operation of nuclear power plants should therefore represent a simultaneous optimisation of all these influences. 1.4.3. United Kingdom The main legislation governing the safety, and enforcement of safety, of nuclear installations is the Nuclear Installations Act 1965 as amended, together with the health and safety at work, etc. Act 1974 and the Ionising Radiation Regulations 1985. Under the Nuclear Installations Act no site may be used for the purpose of constructing, commissioning or operating any nuclear installation unless a licence has been granted by the Health and Safety Executive (HSE). A nuclear installation is broadly defined as being an installation where nuclear fuel is manufactured, enriched or reprocessed, where products from irradiated nuclear fuel are manufactured, or an installation which is a power or research reactor (some defence related activities are excluded). Her Majesties Nuclear Safety Directorate (NSD) as part of the HSE is responsible for enforcing safety and health legislation at any licensed site. A statutory body called the Health and Safety Commission (HSC) sits between Government and HSE. The aims of HSC and HSE together are to protect the health, safety and welfare of employees, and to safeguard others, principally the public, who may be exposed to risks from industrial activity. The governmental organization is presented in Fig. 7. Each nuclear site licence has conditions attached that have the force of law and which place either absolute requirements or require the making of adequate arrangements and compliance with those arrangements. A fundamental feature of one condition is the requirement for the licensee to demonstrate the safety of the proposed operation in a document known as the “safety case”, prior to the start of that operation. Breach of any law, regulation or licence condition is a criminal offence and the offender may be prosecuted in the United Kingdom courts of law. 48 In the United Kingdom the NSD formulates the overall safety objective as follows: “The objective is to secure the maintenance and improvement of standards of safety at civil nuclear installations and the protection of workers and members of the public”. The modus operandi of the NSD to satisfy the safety objectives is formulated as follows: “The essential regulatory philosophy underlying safe nuclear power in the UK is to ensure that the licensee establishes a safe design, and to monitor it by inspection from manufacture to decommissioning through construction, commissioning, operation and maintenance in order to ensure that the safe design intent is not violated either deliberately or unintentionally.” NSD does not issue Standards or Codes of practice for nuclear power plants. Rather it expects each licence applicant to develop their own design safety criteria and requirements. These criteria are not formally approved or promulgated as standards or codes. The form of regulation chosen is non-prescriptive but is one that obliges licensees to understand the risks associated with their plant. They must propose suitable arrangements for dealing with those risks, and, once “approved” by the NSD, these arrangements become legally enforceable constraints on the way in which the licensee may operate. Department Environment, Transport and the Regions Environment Agency Health & Safety Commission Discharge & Disposal of Radioactive Waste Health & Safety Executive Nuclear Safety Directorate (NSD) FIG. 7. United Kingdom — governmental organization. 1.4.4. Governmental organization for nuclear safety in the USA 1.4.4.1. History of nuclear safety regulation in the USA The history of the US nuclear regulatory system dates from the initial development of nuclear technology as part of the country’s wartime programme in the mid-1940’s. In its earliest phase, virtually all nuclear activities were highly confidential and closely controlled for security reasons. Since that time, the legal and organizational structure for nuclear energy has expanded to cover a full range of civilian activities in the nuclear field. The following chronology summarizes some of the key developments in the history of the US system for nuclear regulation: 49 x 1946. A new Atomic Energy Act creates the Atomic Energy Commission (AEC) to exercise civilian control over nuclear energy development and regulation. Under the 1946 Act, nuclear technology begins to become more public and open. x 1953. On December 8, President Eisenhower delivers an important address to the United Nations General Assembly entitled “Atomic Power for Peace”. The speech launches the worldwide “Atoms for Peace” programme that not only gave impetus to the civilian nuclear programme in the USA, but also supported the transfer of nuclear technology to other nations. x 1954. A substantially revised Atomic Energy Act authorizes the transfer of a broad range of nuclear technology from the governmental sector to private industry and establishes a regulatory framework for such activities within the Atomic Energy Commission. x 1957. Congress enacts the Price-Anderson Act, which adopts limits on liability and a system of compensation for damage from nuclear accidents, a measure that significantly encourages the wider development of nuclear power. x 1961. The US Supreme Court issues its decision in the important Power Reactor Development Company case, the first major legal challenge to licensing of nuclear power plants in the USA. The Court affirms the AEC’s two-step licensing process (construction permit/operating license) and holds that judicial review of regulatory decisions will to extend to AEC technical safety judgements. x 1969. Congress enacts the National Environmental Policy Act (NEPA), that requires preparation of an environmental impact statements (EIS) for all major federal projects. Reactor construction is considered a major federal project it must receive a permit and license from the US regulatory body (at that time, the AEC). x 1974. In a major organizational reform, Congress adopts the Energy Reorganization Act that abolishes the AEC and creates two new bodies. The US Nuclear Regulatory Commission (NRC) is established as an independent agency to regulate nuclear energy. The Energy Research and Development Agency (ERDA) — later the Department of Energy (DOE) — is given responsibility for development and promotion of nuclear energy. 1.4.4.2. Basic character of the US system of nuclear regulation Having summarized the history of the US nuclear regulatory system, some consideration should be given to the reasons why it is structured as it is. Many factors are relevant in determining the legal and institutional framework for nuclear regulation in any country. The following factors seem particularly relevant to the US approach. The US civil nuclear power programme is quite large, with over 100 operating reactors at over 60 sites. Supervision of such a programme obviously requires a proportionately large regulatory body. The US programme is technologically diverse. Four reactor vendors have utilized some 80 designs based on pressured-water reactor (PWR) and boiling-water reactor (BWR) technology. Unlike a programme that utilizes a standardized design, a diverse system requires the regulatory body to maintain a larger cadre of technically trained personnel in a variety of fields. 50 The US programme also involves a diversity of operating organizations. Until recent reorganization and consolidation of the electric utility industry, some 45 separate companies were operating nuclear power plants in geographically dispersed locations. Such a programme requires a regulatory system that is organized to monitor nuclear safety on a regional and sitespecific basis. The US legal system, in general, reflects a long tradition of independent regulatory bodies responsible for assuring health and safety in various areas of industrial and economic development (e.g. food and drugs, railroads). This provided a clear model for the organizational structure of a regulatory body in the nuclear field. The US constitutional system is federal, with the 50 state governments exercising significant powers (e.g. police, environment, local land use, economic regulation of electric utilities). However, the US system also provides a dominant role for the federal government in certain areas deemed essential to national interests. Sometimes called the doctrine of “pre-emption”, the federal role has been particularly broad in the nuclear area, primarily because of its military origins and security aspects. The US has a tradition of active legislative involvement in all areas of public policy. Congress expects to conduct vigorous oversight of regulatory bodies on a regular basis. Regulatory officials expect to appear regularly before legislative committees to explain their activities, as well as to support annual budget requests. Judicial review of the actions of all government agencies is routine in the USA An independent court system enforces the legal accountability of regulatory bodies, including those in the nuclear area. Since nuclear energy is controversial, most significant regulatory decisions are likely to be challenged in court. This requires that the regulatory body have substantial legal expertise to defend its decisionmaking. In general, US governmental activities are conducted in a very open and transparent process. Nuclear regulation is no exception in this regard. This openness includes a strong tradition of public participation in agency decision making, in which so-called “stake-holders” (i.e. parties with some identifiable interest) have the right to participate in agency proceedings by submitting oral or written testimony. Openness is assured through a number of laws that are not particular to the nuclear field, but to all aspects of government. The Freedom of Information Act, Government in the Sunshine Act and Federal Advisory Committee Act (to name only a few) include requirements for government transparency. With regard to the financing of regulatory activities, the USA has moved to a system in which the regulated industry funds substantially all of the costs of regulation. The US Nuclear Regulatory Commission is funded by fees assessed against licensees. This represents a change from the original approach of funding regulation from taxes paid by all citizens. The arrangement — known as “full cost recovery” — means that persons using nuclear-generated electricity or nuclear techniques eventually pay the regulatory bill. A more recent factor that is having a major impact on the US nuclear regulatory system is the process of de-regulation and reorganization in the nation’s electric utility industry. The impacts of these developments are diverse and unpredictable. One major effect is a change in the number and even identity of utilities operating nuclear power reactors. This will require close regulatory oversight to confirm that new entities have the technical and financial resources to ensure safety. Also, a more competitive electricity market is creating pressures to reduce the costs of regulation, a factor that could impact regulatory resources. 51 1.4.4.3. The statutory framework for US nuclear regulation The US nuclear regulatory system is based on a rather extensive and complicated framework of laws, some of which are specific to the nuclear field, but many of which apply to all governmental activities. Table V lists the most important legislative acts that govern the day-to-day regulation of nuclear safety. The most important of these laws is the atomic energy act of 1954, which establishes the comprehensive framework for the uses of nuclear energy. The 1954 act has been regularly updated and amended (almost on an annual basis) for the past half century. Other laws cover specific subject matter areas in the nuclear field, such as waste management. TABLE V. US LEGAL FRAMEWORK FOR NUCLEAR ENERGY REGULATION Specific nuclear-related laws: x Atomic Energy Act (1954), as amended; x Price-Anderson Act (Adopts Limits on Liability and a System of Compensation for Damage from Nuclear Accidents) (1957); x Energy Reorganization Act (1974); x Uranium Mill Tailings Control Act (1978); x Nuclear Non-Proliferation Act (1978); x Low-Level Radioactive Waste Policy Act (1980); x Nuclear Waste Policy Act (1982); x Low-Level Radioactive Waste Policy Act Amendments (1985); x Diplomatic Security and Anti-Terrorism Act (1986); x Nuclear Waste Policy Amendments Act (1987); x Energy Policy Act (1992); x Annual NRC Appropriations Acts; Generally applicable laws: x x x x x National Environmental Policy Act (1969) Requires Impact Statements on Major Projects; Administrative Procedure Act; Government in the Sunshine Act; Freedom of Information Act; Federal Advisory Committee Act. A number of laws that are not specific to the nuclear field have an important impact on nuclear safety regulation. The most important of these general laws is the national environmental policy act of 1969. This act requires the preparation of environmental impact statements for major federal actions, which include the construction of power reactors and development of waste management facilities, among others. Certain procedural acts of general applicability also determine how nuclear regulatory bodies implement their responsibilities. For example, the administrative procedure act governs the way all federal agencies conduct their business, including provisions for how agency decision making must be conducted and how persons may challenge actions they believe to be improper. 52 1.4.4.4. Nuclear Regulatory Commission — main responsibilities As stated previously, since 1974 the US governmental body primarily responsible for regulation the safety of nuclear activities is the independent Nuclear Regulatory Commission. The NRC has wide-ranging responsibilities covering most aspects of the nuclear fuel cycle. the following list summarizes some of its main activities: x Regulation (through standard-setting, licensing, inspection and enforcement) of the design, construction, operation and de-commissioning of: Commercial nuclear power reactors. Research, test and training reactors. Medical, academic and industrial uses of nuclear materials. Transport, storage and disposal of nuclear materials and nuclear waste. x Licensing of reactor operators. x Conducting research on nuclear safety. x Providing public information related to nuclear safety. x Coordinating relationships with state governments regarding nuclear safety. The basic mechanism for this coordination is through a series of state agreements under which regulatory authority is exercised by state governments based on an NRC determination that they are compatible and consistent with NRC regulations. x Maintaining an Incident Response Center to help manage nuclear events and accidents. x Cooperating with other national governmental bodies and international organizations on nuclear safety and radiation protection. x A more extensive discussion of the detailed structure and activities of the Commission is set forth in Part 2 — Regulatory Body at section 2.1.2.4 — US Nuclear Regulatory Commission. 1.4.4.5. Role of other federal agencies and state and local governments Although the US Nuclear Regulatory Commission exercises the greatest range of responsibilities for regulating nuclear energy in the USA, other bodies have important roles that should be briefly mentioned. The most important federal agencies in this regard are the following: Department of Energy (DOE): As the Federal agency charged with development and promotion of nuclear energy, DOE supports a range of activities important to safety. For example, the department has embarked on a major programme for developing a new generation of nuclear power reactors that, among other aspects, are intended to have much greater inherent safety features than current designs. This work is conducted in cooperation with private industry. DOE also implements an extensive programme of nuclear safety cooperation with other countries, primarily in Central and Eastern Europe and new independent states of the former Soviet Union. DOE is also responsible for the safety of defence-related nuclear activities at its own facilities. 53 Environmental Protection Agency (EPA): EPA has broad responsibilities in the protection of all aspects of the environment, including water quality, air pollution and toxic wastes. Although NRC regulates safety at nuclear-related sites, EPA is involved in standard-setting and regulation of environmental impacts of nuclear activities that may extend beyond a site, affecting the general population. Department of Transportation (DOT): DOT regulates transportation of hazardous materials, including nuclear materials, to ensure safe handling in the movement of such materials in inter-state commerce. Department of State (DOS): The State Department coordinates US relations with other nations and international organizations, including those related to nuclear safety. DOS is typically the lead federal agency in negotiating international instruments, including those related to nuclear safety and coordinates with DOE, NRC and other agencies on safety cooperation with foreign entities. Department of Defence (DOD): The Defence Department is responsible for the safety of nuclear materials and activities under its control, including nuclear weapons and nuclearpowered vessels. Occupational Health and Safety Administration (OSHA): OSHA administers important regulatory controls over the protection of workers from dangerous occupational hazards to health and safety. State and local governments do not have inherent authority to regulate the radiological aspects of nuclear energy. However, as noted previously, many states exercise regulatory control over radiation protection under agreements with the Nuclear Regulatory Commission. States and local governments also have important responsibilities derived from their fundamental powers over land use planning and economic development. For example, the government of a state in which a proposed nuclear power plant is to be constructed must issue certain kinds of permits related to construction. States also exercise economic regulation of electricity rates, an activity that can impact the resources available to an operating organization for maintaining and improving safety at its facilities. 2. REGULATORY BODY 2.1. REGULATORY INDEPENDENCE The importance of regulatory independence is recognized in the Convention on Nuclear Safety [11] and the IAEA Safety Requirements on legal and governmental infrastructure for safety (Ref. [2] ). Both documents address the establishment of a regulatory body and the need for its separation, or independence, from the promoters of nuclear technology. The primary reason for this separation is to ensure that regulatory judgements can be made, and enforcement actions taken, without pressure from interests that may conflict with safety. Furthermore, the credibility of the regulatory body in the eyes of the general public depends in large part upon whether the regulatory body is regarded as being independent from the organizations it regulates, as well as independent from government agencies or industry groups that promote nuclear technologies. It is recognized that a regulatory body cannot be absolutely independent in all respects from the rest of government: it must function within a national system of laws and budget 54 constraints, just as other governmental and private organizations do. Nevertheless, it is important for its credibility and effectiveness that the regulatory body has effective independence in order to make the necessary decisions with respect to the safety of workers, the public and the environment. The need for independence of the regulatory body does not imply that it needs to have an adversarial relationship with operators or any other stakeholder. The following paragraphs provide a more detail discussion of a number of elements of regulatory independence: Elements Of Regulatory Independence Political: The political system shall ensure clear and effective separation of responsibilities (duties) between the regulatory body and organizations responsible for the development of nuclear technologies. In this regard, it is important to distinguish between independence and accountability. The regulatory body should not be subject to political influence or pressure in taking safety decisions. The regulatory body should however be accountable with regard to fulfilling its mission to protect workers, the public and the environment from undue radiation hazards. One way of providing this accountability is by establishing a direct reporting line from the regulatory body to the highest levels of government. In the case where a regulatory body reports to a government agency that has responsibility for exploiting or promoting nuclear technologies, there should be channels of reporting to higher authorities to resolve any conflicts of interest that may arise. This accountability should not interfere with the independence of the regulatory body in making specific safety decisions with neutrality and objectivity. Legislative: In the legislative framework of a national regulatory system (e.g. atomic laws or decrees) the role, competence and independence of the regulatory body with respect to safety should be defined. The regulatory body shall have the authority to adopt or develop safety regulations that implement laws passed by the legislature. The regulatory body shall also have the authority to take decisions including enforcement actions. There should be a formal mechanism for appeal against regulatory decisions, with predefined conditions that must be met for an appeal to be considered. The regulatory body shall have the responsibility for adopting or developing safety regulations that implement laws passed by the legislature. Financial: “The regulatory body shall be provided with adequate authority and power, and it shall be ensured that it has adequate staffing and financial resources to discharge its assigned responsibilities.” (Ref. [2], Para. 2.2 (4)) While it is recognized that the regulatory body is in principle subject to the same financial controls as the rest of government, the budget of the regulatory body should not be subject to review and approval by government agencies responsible for exploiting or promoting nuclear technologies. Competence: The regulatory body should have independent technical expertise in the areas relevant to its safety mission. The management within the regulatory body should therefore have the responsibility and authority to recruit staff with the skills and technical expertise they consider necessary to carry out the regulatory functions. In addition the regulatory body should maintain awareness of the state of the art in safety technology. In order to have access to outside technical expertise and advice that is independent of operator or industry funding/support to support its regulatory decisionmaking, “The regulatory body shall have the authority to obtain such documents and opinions from private or public organizations or 55 persons as may be necessary and appropriate” (Ref. [2], Para.2.6 (10)). In particular, the regulatory body shall have the ability to set up and fund independent advisory bodies to provide expert opinion and advice (Ref. [2], Para. 2.4, (9)) and to award contracts for research and development projects. Information to the Public: One of the responsibilities of the regulatory body is to provide information to the public. “The regulatory body shall have the authority to communicate independently its regulatory requirements, decisions and opinions and their basis to the public.” (Ref.[2], Para. 2.6, (11)). Since the public will only have confidence in the safe use of nuclear technology if the regulatory process and decisions are transparent, government should set up a system to allow independent experts and experts from major stakeholders (for example, the industry and the workforce and the public) to provide their views. The experts' findings should be published. International: “The regulatory body shall have the authority to liaise with regulatory bodies of other countries and with international organizations to promote co-operation and exchange of regulatory information.” (Ref.[2], Para. 2.6, (14)). 2.2. ORGANIZATION AND FUNCTIONS OF REGULATORY BODY 2.2.1. IAEA guidance for regulatory organization [2]1 The prime responsibility for safety is assigned to the operator. The primary objective of the regulatory body is to ensure that the operator fulfils this responsibility to protect human health, and the environment from possible adverse effects arising from nuclear facilities and management of radioactive waste. In order to achieve these objectives the regulatory body defines policies, safety principles and associated criteria as a basis for its regulatory actions. Table VI presents the main functions of the regulatory body. In order to discharge its main responsibilities the regulatory body needs to: x Establish a process for dealing with application, e.g. issuing of an authorization; x Provide guidance to the operator on developing and presenting safety assessments or any other required safety related information; x Ensure that proprietary information is protected; x Communicate with, and provide information to, other competent governmental bodies, international organizations and the public; Ensure that operating experience is appropriately analysed and that lessons to be learned are disseminated; x Ensure that appropriate records relating to the safety of facilities and activities are retained and retrievable; x Ensure that its regulatory principles and criteria are adequate and valid, and shall take into consideration internationally endorsed standards and recommendations; x Advise the government on matters related to the safety of facilities and activities; x Confirm the competence of personnel responsible for the safe operation of the facility or activity; and x Confirm that safety is managed adequately by the operator. 1 INTERNATIONAL ATOMIC ENERGY AGENCY, Organization and Staffing of the Regulatory Body for Nuclear Facilities, GS-G-1.1 (in press). 56 TABLE VI. FUNCTIONS OF THE REGULATORY BODY [2] The regulatory body has the following main functions: x Establishment, promotion or adoption of regulations and guides, upon which its regulatory actions are based; x Review and assessment of submissions on safety from the operators both prior to authorization and periodically during operation as required; x Issuing, amending, suspending or revoking of authorizations; x Carrying out regulatory inspections; x Ensuring corrective actions if unsafe or potentially unsafe conditions are detected; x Taking the necessary enforcement actions in the event of safety requirements having been violated. The regulatory body may also have additional functions such as: x Carrying out independent radiological monitoring in and around nuclear facilities; x Carrying out independent testing and quality control measurements; x Initiating, co-ordinating and monitoring safety research and development in support of the regulatory functions; x Providing personnel monitoring services and medical examinations; x Monitoring of nuclear non-proliferation; x Regulatory control of industrial safety. The regulatory body needs to be structured in a manner that ensures that it is capable of discharging its responsibilities and fulfilling its functions effectively and efficiently. The organizational structure and size of the regulatory body are influenced by many factors and it is not appropriate to recommend a single organization model. The regulatory body needs a structure and size commensurate with the extent and nature of the facilities and activities it must regulate, and it needs adequate resources to discharge its responsibilities. The organizational structure of a regulatory body varies from country to country. The following sections provide general guidance on the organizational structure based on the functions of the regulatory body. The principal functions to be carried out are: regulations and guides, authorization, review and assessment, inspection and enforcement. The regulatory body has also the function in connection with emergency preparedness. For a large organization it is often useful to have each of these functions assigned to a discrete section or division within the regulatory body. Each of these functions need many specialized skills. Rather than having each functional unit containing its own specialists, it is often practical and efficient to group the specialists in a matrix such that each organizational unit assigned responsibility for a function can draw on specialist skills as needed. Development of regulations and guides requires a considerable amount of resources. If new or revised regulations and guides are required frequently it may be appropriate to have a permanent unit to deal with this. Where the need for new or revised regulations and guides is infrequent it may be sufficient to identify a mechanism whereby such resources can be drawn together when required. Regulations and guidance cannot be produced in isolation but consultation both within and outside the regulatory body is needed. In developing regulations and guides, account is taken of international standards and recommendations, obligations imposed by any conventions to which the state may be party, relevant industrial standards and any advances in technology. 57 Review and assessment are among the main continuous functions of a regulatory body. It is therefore appropriate to assign this to a person or organizational unit within the regulatory body. This function often involves drawing together teams of specialists. Review and assessment is based on regulations and guides. The review and assessment necessitate effective communication and interaction between different units of the regulatory body. The main parameters, characteristics and results are recorded and retained, in written form, for future reference. Inspection is another continuous function of the regulatory body and can take many forms. The inspectors may form a permanent part of the inspection unit, or may be drawn from other parts of the regulatory body as required. Project managers or supervisors should be appointed to plan and monitor the work of all inspections performed for a facility and draw the results together. An inspection may result in a requirement for additional review and assessment or for enforcement action. Therefore, there should be strong and effective links with all other parts of the regulatory body. The use of resident inspectors may provide benefits such as improving the ability of the regulatory body to engage in on-site surveillance of systems, components, tests, process and other activities of the operator at any time. The full-time presence of inspectors can improve the ability of the regulatory body to identify and respond promptly to problems. With resident inspectors, inspection frequency and intensity at any given level of human resources can be more readily optimised, and the regulatory body may be better informed of operator schedules and hence better able to coordinate its inspection activities with key operator activities that it wishes to observe. Where resident inspectors are employed, consideration should be given to locating more than one at a particular site for mutual support. There should be adequate communication between resident inspectors and the headquarters to maintain regulatory effectiveness. The use of non-resident inspectors may demand less in terms of human resources than the use of resident inspectors. Non-resident inspectors may inspect more than one site, which may be a more efficient use of limited resources. Alternatively a non-resident inspector may be assigned to a particular facility and may co-ordinate inspection activities at that facility. Furthermore, a non-resident inspector is less likely to become unduly isolated from the activities and decision making of the regulatory body. Enforcement actions are designed to respond to non-compliance with specified conditions and requirements. There are different enforcement actions, from written warnings to penalties and, ultimately, withdrawal of an authorization. In all cases the operator is required to remedy the non-compliance, to perform a thorough investigation in accordance with an agreed time-scale, and to take all necessary measures to prevent recurrence. The regulatory body shall ensure that the operator has effectively implemented any remedial actions. The organizational structure of the regulatory body needs to enable enforcement actions to be taken at appropriate level. The precise role of the regulatory body in emergencies varies considerably between states, depending on how it is organized to respond to emergencies in general. In many states, the regulatory body has an advisory function for the authority responsible for emergency preparedness. It will therefore be necessary to set up procedures to draw together the necessary resources when required, and to exercise them as appropriate. The structure of the regulatory body should clearly indicate a responsible person or group in charge of co58 ordinating the development of procedures, liasing with other organizations involved in the overall emergency preparedness and conducting the exercises. The regulatory organization needs an administrative support that is an organizational unit dedicated to general administrative work. A regulatory body is by its very nature engaged in activities that require professional legal support. The legal support can be provided as part of the staff of the regulatory body or provided by another governmental body or obtained through contract. The regulatory body should be structured to recognise either implicitly or explicitly the interface of legal functions with technical and management functions. Activities typically requiring professional legal participation include, e.g. development of basic legislation and regulations including compatibility with international conventions and agreements, providing legal advice and representation of the regulatory body in the case of enforcement activities and at the court of law. If a regulatory body or its dedicated support organization does not have an adequate number of qualified personnel or the workload does not justify the recruitment of a full-time staff, consultants may be used to perform selected tasks. The technical qualifications and experience of such consultants are at least at the same level as the staff of the regulatory body performing similar tasks. More generally consultants are used by the regulatory body to assist in performing tasks requiring an additional level or area of expertise which may arise occasionally, or to provide a second opinion on important issues. Since the regulatory body has to evaluate and utilize the work performed by consultants, it defines the scope of the work to be performed. The consultants are required to provide a detailed written report which includes the basis and method of evaluation, conclusions and recommendations that will assist the regulatory body in completing its evaluation. The government or the regulatory body may choose to give formal structure to the processes by which expert opinion and advice are provided to the regulatory body. For example, broadly based advisory committees with membership drawn from other government departments, regulatory bodies of other countries and scientific organizations can bring broad perspectives to bear on the formulation of regulatory policy and regulations. Another type of advisory committee is the technical committee composed of members with a range of technical skills needed to evaluate complex technical issues. Such committees may have a defined role in the authorization process. Alternatively, they may be ad hoc, performing a function similar to that of consultants but for which a number of different skills are needed to address complex issues. Any advice offered shall not relieve the regulatory body of its responsibilities for making decisions and recommendations. The regulatory body encourages facility operators to carry out the research and development needed to produce adequate argumentation about safety. However, there may be situations in which the operator’s research and development are insufficient or in which the regulatory body requires independent research and development to confirm specific important findings. The regulatory body may need research and development work in support of its regulatory functions in such areas as inspection techniques, analytical methods or in developing new regulations and guides. The regulatory body’s organizational structure reflects these needs either by setting up a research unit or by having staff who can define research and development needs, initiate, co-ordinate and monitor the work and evaluate the results. Regardless of how it is carried out, the regulatory body ensures that the research is focused on 59 regulatory needs, whether short or long term, and that the results are disseminated to the appropriate organizational units. The actions and responsibilities of many organizations can interact with those of the regulatory body. Such organization may include government departments, environmental protection authorities, other bodies with responsibilities for emergency preparedness, physical protection, water and land use planning authorities, authorities responsible for public, occupational, health and safety, fire protection authorities, etc. Where regulatory authorities overlap it may be appropriate to manage the relationship between the bodies by means of a formal agreement. This should set out each body’s responsibilities, which should lead on any aspect of overlap and how conflicting requirements should be resolved. In many cases, it may be appropriate to have regular liaison meetings. The regulatory body is organized to provide public information regarding its activities, both on a regular basis and in relation to abnormal events. Information provided to the public is objective, reflecting the regulatory body’s independence. The regulatory body is as open as possible while complying with national legislation on confidentiality. This can best be done by individuals with expertise in the field of public information to ensure that the information presented is clear and comprehensible. In a large regulatory body, this may warrant the establishment of a specialized unit. The safety of facilities and activities is of international concern. Several international conventions relating to various aspects of safety are in force. National authorities, with the assistance of the regulatory body, as appropriate, establish arrangements for the exchange of safety related information, bilaterally or regionally, with neighbouring States and other interested States, and with relevant intergovernmental organizations, both to fulfil safety obligations and to promote co-operation. The involvement of the regulatory body in international co-operation, arranged by means of multilateral or bilateral agreements, could consist of exchange of information, mutual assistance in regulatory activities, staff training, regular staff meetings on specific subjects and other matters. Multilateral co-operation could be organized using different approaches; for example, regional approaches, multilateral based on design or type of facilities concerned. The regulatory body may also be involved in fulfilling national obligations under international conventions. These may require subsequent actions as appropriate. In the following, different types of organizational arrangements are described as examples of how the above responsibilities and duties can be organized. 2.2.2. Examples of regulatory organizations [15] 2.2.2.1. Finland STUK — Radiation and Nuclear Safety Authority acts as the regulatory body for nuclear power plants in Finland. STUK maintains jurisdiction over nuclear safety, radiation protection, pressure vessel, and nuclear material and safeguards. STUK gives detailed technical and administrative instructions relative to the design, construction, commissioning and operation of nuclear power plants in so called “YVL” guides. Organizational scheme is presented in Fig. 8. At the end of the year 2000, STUK employed 290 persons. STUK has a staff of approximately 80 inspectors for the supervision of nuclear power plants (4 units). Basic educational level of the inspectors of STUK is: approximately 20% engineers, 70% graduate engineers (diploma) or a corresponding degree, and 10% with a higher degree. There are training policies and guidelines for the training of inspectors. 60 FIG. 8. Finland — organization of STUK. Total finance in 2000 was 129 million FIM (22 million Euros). The sources of funding of STUK were as follows: states funding allocations (42%); income from monitoring under public law (29%); expert services (23%); external funding for joint venture (6%), other funding (2%). Expenditure by sector in 2000 was: nuclear safety (30%); research (29%); services (21%); radiation safety (8%); environmental radiation monitoring (4%); preparedness (4%); information (4%). Regulatory oversight including respective direct costs such as contracted research activities carried out by STUK is directly charged from the utilities. Other sources of STUK incomes are the governmental budget and some contracted services. Overhead expenses are divided to different organizations in relation of working hours carried out. Emergency preparedness, public information and international and domestic cooperation are paid from the governmental budget. 2.2.2.2. Switzerland The legal basis for the regulation and supervision of nuclear activities are: The nuclear law (1959), the federal amendment to the nuclear law (1978) and the Federal Ordinance about the supervision of nuclear installations (1983). According to the Ordinance the Federal Nuclear Safety Inspectorate (HSK) exercises supervision over nuclear installations in Switzerland. Its main tasks are the establishment of the safety review to be delivered to the federal government with regard to the granting of a general licence or of permits for construction, operating, etc. of nuclear installations, and the surveillance and inspection of these installations. Organizational scheme is presented in Fig. 9. 61 Direction HSK Department Mech. & Electrical Equipment Electrical Engineering & I &C Mechanical & Civil Engineering Secretariat & Central Services, Scientific Advisor Safety Research & International Programme Co-ordination of Supervision of NPPs Human Factors, Organization & Safety Culture Department Design and Safety Analysis Reactor & Safety Technology PSA & Accident Management Department Radiation Protection & Emergency Planning Accident Consequences & E P &P Radiation Measurement & Radioecology Section Radioactive Waste Management Radiation Workers Protection FIG. 9. Swiss Federal Nuclear Safety Inspectorate organization. The licensee has full responsibility for the safety of his plant. The regulatory body defines the safety requirements and checks for fulfilment of these requirements. Persons entrusted with the surveillance may at any time require information and have access to all documents; they have unhindered access to all installations, offices, and stores. The inspection personnel belong to HSK as the governmental organization, and also to private organizations (e.g. for mechanical components, civil structures, and some for radiation monitoring). The HSK does not have people, who are full time inspectors. Supervision is carried out by different sections. The co-ordination and inspection section has the duty to coordinate inspection activities. Each site has a site inspector who is a member of this section. About 70 persons are involved overall in inspection activities of the HSK. They include some 20 persons from private organizations. Inspectors and regulators in the HSK are identical. Typical qualification is a BS or MS degree and several years of experience in nuclear or nonnuclear industries. Supplemental training in reactor technology and safety is provided in the first year. The annual budget of the Inspectorate (HSK) is approximately 6.2 million Swiss francs (salaries and infrastructure, including the secretariat of the advisory commission (KSA), but excluding the Commission as such). In addition, some 7 million Swiss francs are budgeted for external experts and for research contracts. The expenses of HSK are mostly compensated for by specific revenue from the federal treasury. Fees have to be paid by the applicants/licensees for all licensing procedures. The operators of nuclear installations are invoiced by the federal administration for the actual costs of the supervision by the Inspectorate and its experts. 2.2.2.3. United Kingdom Her Majesties Nuclear Safety Directorate (NSD) as part of the Health & Safety Executive (HSE) is responsible for enforcing safety and health legislation at any licensed site. Organization of NSD is presented in Fig. 10. NSD has about 150 inspectors and 90 administrative support staff. About one third of the inspectors are engaged in site inspection duties, about one third in assessment, with the rest in project management, strategy and other related duties. There are also a number of inspectors located elsewhere in HSE providing advice on policy matters. Inspectors are all technically or professionally qualified. Typically they hold chartered engineer or equivalent status and have suitable experience in an 62 appropriate field. Internal training programmes cover legal and other activities to ensure that an Inspector is competent to inspect and enforce legislation. NSD does not employ noninspectorial technical or professional staff. Outside experts or specialists are rarely contracted by NSD to perform inspections but are sometimes contracted to provide assistance or advice on particular assessment issues. Chief Inspector NSD Division 1 British Energy Sites - Inspection - Assessment - Projects - Research - Strategy Division 2 British Nuclear Fuels (BNFL) Sites - Inspection - Assessment - Projects Division 3 General and Defence Sites - Inspection - Assessment - Projects Director’s Support Finance/planning Resource Management Procedures/guidance FIG. 10. United Kingdom — Nuclear Installations Inspectorate, organization. Inspectors appointed by the HSE also have the power to stop unsafe acts or require improvements to be made within given time scales. Some of the conditions attached to the licence also give the HSE the power to direct the licensee to undertake a specified task (e.g. shutdown reactors) and the power to consent or approve to certain activities (e.g. items of high safety significance). These powers are carefully set out so as to not take away the absolute responsibility of the licensee for safety on the licensed site. Neither HSE or NSD are involved in licensing of individuals at the nuclear installation, but powers in the licence conditions exist to enable the HSE to stop any appointment by the licensee of persons to key safety related posts such as control room operators. NSD’s actions are subject to internal review processes and in extreme cases can be subject to review by the United Kingdom courts of law. The Government sets the policy on siting of nuclear installations, dealing with radioactive waste and decommissioning which NSD implements through the granting of site licences and its powers under the site licence conditions. HSE sets policy in respect of work radiation exposure that is enforced by NSD on licensed nuclear installations and by other parts of HSE for other industrial and medical uses of radioactive material. NSD also enforces other safety and health regulations in relation to non-nuclear hazards at licensed nuclear sites. The Health and Safety Commission also has a group of nuclear experts called Nuclear Safety Advisory Committee (NUSAC), which provides advice on matters which may be referred to it or it has decided to take an interest in. NSD makes presentations to NUSAC and considers its advice. 63 Under the Nuclear Installations Act, HSE recovers most of the running costs of NSD, together with the costs of any research thought necessary from licensees. Fines, which the United Kingdom courts of law may impose on a licensee or person, go to the courts and not NSD. 2.2.2.4. US Nuclear Regulatory Commission The basic legal and organizational framework for nuclear regulation in the USA has already been described in 1.4.4. The following section includes a basic description of the structure and responsibilities of the US Nuclear Regulatory Commission (NRC). The Commission’s organization chart is set forth in Fig. 11. Organizational structure of the NRC The NRC is headed by a Commission comprising 5 members, each appointed by the President of the USA and confirmed by the US Senate. Several measures have been adopted to ensure the Commission’s independent, non-partisan character. Commissioners serve for fixed five year terms and can only be removed for legal cause (e.g. violation of law or dereliction of duty). The Chairman of the Commission is designated by the President from among the Commissioners and serves in that capacity at the discretion of the President. Although the Chairman has some special responsibilities regarding management of the agency, each Commission possesses and equal vote on policy matters. If removed as Chairman, the person may remain on the Commission for the remainder of his or her term of office. One of the commissioners’ terms expires each year, providing a regular rotation of membership. Commissioners may be re-appointed. However, to avoid partisanship, no more than three of the five commissioners can be members of a single political party. A few years ago, the NRC was somewhat restructured along the lines of a corporate business model. In particular, two new officers were designated to manage major organizational functions. A Chief Information Officer (CIO) was designated to be responsible for all information technology, communication and computing capabilities. Similarly, a Chief Financial Officer (CFO) was designated to deal with resource and budget issues. The Executive Director for Operations (EDO) continues to be the Chief Operating Officer of the Agency. The EDO maintains management supervision over all NRC’s three main operating divisions — Materials, Research and State Programmes; Reactor Programmes; and Management Services. As indicated in Fig. 8 organization chart, these three Divisions supervise the activities of the various NRC offices covering specific areas of the Agency’s responsibility. These cover all the traditional areas of regulatory supervision, including standard-setting, licensing, inspection and enforcement. A number of offices related to the Commission’s overall administrative functioning are directly supervised by the Commission, itself. Such offices include: Inspector General; Congressional Affairs; Public Affairs; General Counsel; and International Programmes. The Commission’s various advisory bodies (such as the Advisory Committees on Reactor Safeguard and on Waste) also report directly to the Commission. Consistent with the large size and geographic breadth of the US programme, the Commission has also established four regional offices (in Pennsylvania, Georgia, Illinois and Texas). These regional offices provide a direct link to state and local governments and individual installations through resident inspectors stationed at each nuclear power plant. 64 The role of the Office of the Inspector General should be highlighted. This office is functionally independent of the Commission, issuing reports on how the agency conducts its business from the standpoint of efficiency, ethics and effectiveness. The office has a separate budget, approved by the Congress, to avoid any suggestion that the Commission is unduly influencing its reviews so that the Commission cannot limit its resources if it does not like the kind of reporting it is getting. As mentioned, the Commission has created two independent bodies to provide technical advice to the Commission. The Advisory Committee on Nuclear Waste and the Advisory Committee on Reactor Safeguards (meaning safety) are comprised of expert scientists and engineers. Law and regulations require that the views of these bodies be considered in the licensing process. Regulatory independence and the NRC Although it is difficult to define regulatory independence, the regulatory framework within which the NRC functions has been structured to insulate the Commission from outside influence in its decision making on issues affecting public health, safety, security and the environment. Key features of this framework are the following: Separation of functions: As an organization, NRC not only has no responsibility for promoting or developing nuclear energy, but — importantly — is completely separate from any other government bodies having such responsibilities. Political influence: As already noted, no more than three of the five commissioners can come from a single political party. In a country with two dominant political parties, this helps protect against partisanship, no matter how much control one party may have on other organs of government. Commissioners also serve relatively long (5 years) fixed terms, and may also only be removed for “cause” ( i.e. not because they have lost favor with the current political leadership. Conflicts of interest: The Commission implements very strict that prohibit the commissioners or any of the NRC staff from having a financial or personal interest in entities or subject that may be subject to their regulatory decisions. Transparency is important in this regard. NRC employment regulations require annual financial disclosure reports to ensure that improper relationships are identified and eliminated. Openness: The concept of transparency goes even further at the NRC. Several laws ensure that the commission’s decision-making process is conducting in public. For example, the Government in the Sunshine Act requires advance public notice of meetings, with a right of attendance by interested parties. The Freedom of Information Act requires broad public access to any materials used in the decision-making process. Reporting: An important guarantee of independence is NRC’s ability to provide extensive safety-related information to the public, media, other governmental bodies, without review or clearance from any other government agency. Budget and finance: The NRC covers essentially all of its budget through license fees, as authorized in an annual appropriations act by the Congress. This “full cost recovery” approach is believed to provide at least some insulation from political pressures that could result from having NRC’s resources derived entirely from tax revenues. Further, the NRC is entitled to 65 submit its own budget to the Congress, subject only to review by the President’s Office of Management and Budget (OMB). Technical capabilities: For any agency responsible for regulating a complex technology, it is important to possess adequate scientific, engineering, management, financial and legal expertise. The NRC’s large staff (almost 3000 employees) reflects high technical competence and covers cover a wide range of technical areas. This provides important independence from the regulated industry in terms of assessing information provided by licensees. Oversight mechanisms: As final insurance against improper decision-making, the NRC system includes important oversight mechanisms. The internal — but independent — Office of Inspector General provides a scheduled review of NRC’s management. External oversight is exercised by the independent judiciary through appeals of NRC decisions to the federal courts. Congress also conducts oversight that can result in remedial action through legislation or appropriations. The eight elements outlined above do not guarantee absolute independence, a status that is both impossible to achieve and undesirable in principle. However, these elements are important in assuring that safety judgements are not subordinated to other interests — political, economic or social. This degree of independence helps maintain public confidence in the safe uses of nuclear energy, and indispensable prerequisite for its continued use. NRC implementation of main regulatory functions In the following is described in greater detail the manner in which the NRC implements its responsibilities in the main areas of regulatory activity: standard-setting or rulemaking, licensing, inspection, enforcement, regulatory research and public information. Standard-setting or rulemaking At the NRC, regulatory standards are issued through a process called rulemaking. The process is primarily initiated by the Commission’s technical staff, although any member of the public can propose that NRC develop, change, cancel or rescind any regulation. The Commission receives many such requests from environmental organizations and local organizations. NRC rulemaking is a very open process, with public participation a keystone. NRC cannot promulgate rules without giving the public an opportunity to make comments. Before a rule is even drafted, the NRC staff often holds public meetings or workshops to solicit views on a proposed rule. The preferred approach to rulemaking is to provide advance notice of a proposed rulemaking in the Federal Register (the daily federal publication that announces significant government actions). Such an advance notice of proposed rule making is short, typically about a page long; stating that the Commission is considering adopting a new rule or changing or cancelling an old one. Some considerations may also be included, with an indication of initial factors the NRC staff is considering as a basis for the rulemaking. A period of time (usually not less than 30 days) is provided for comment by stakeholders (i.e. industry, interest groups, the public). Emergency rules or minor rules may be issued without public comment, but that is exceptional. After receiving comments, the NRC staff develops the text of a proposed rule. This text is also placed in the Federal Register, for specific comment. Depending on the significance of the issue or on the comments received, the NRC will determine whether to conduct a public 66 hearing on the proposed rule. After comments on the proposed rule are received and evaluated, and a hearing conducted or denied, a final rule (reflecting any changes considered appropriate) is published in the Federal Register. NRC rules are subject to challenge in the federal courts. As previously indicated, such appeals are typically based on whether the procedure followed in adopting the rule has complied with relevant legal requirements; not whether the NRC’s technical judgements are correct. The NRC has recently taken steps to make its rulemaking process even more open and efficient. The Commission has created a website “NRC Rulemaking Forum” giving advance notice to the public of rule making and providing a mechanism for receiving comments electronically. The NRC rulemaking process may appear protracted and cumbersome. However, it is consistent with the country’s traditions of open and democratic traditions decision making. It has also been found useful in creating a more stable regulatory system because Commission decisions are less likely to be challenged or overturned if NRC can demonstrate that the public has been involved fully and at every stage in establishing regulatory standards. Licensing For some years, NRC’s reactor licensing function has not been particularly active. The Commission has not received an application for a new nuclear power plant since the late 1970s. However, the Commission has used this period to streamline and update the licensing process. The traditional approach to licensing power reactors was a two step process, involving a separate Construction Permit (CP) and an Operating License (OL). This process is set forth in Part 50 of the Commission’s rules (in Title 10 of the Code of Federal Regulations (CFR)). Part 50 lists the extensive requirements such licenses. Extensive evaluation of the licensing process, urged by the nuclear industry and some in Congress, convinced the Commission that this two-step process was unnecessarily cumbersome and inefficient. As a result, the NRC adopted a streamlined, combined CP/OL licensing process that is set forth in Part 52 of the CFR. Under this approach, an applicant with a pre-approved site and approved design can obtain a single license permitting him to operate the plant. Part 52 details the requirements for site and design approvals. Even under the new Part 52, the reactor licensing process is lengthy and complex. The following summary identifies the major steps in the NRC process: x The applicant must submit a safety analysis report (SAR) covering essential factors including: design criteria and information; comprehensive site data; safety features to prevent and mitigate hypothetical accidents; an environmental report on potential impacts; and economic information for purposes of an antitrust review (analyzing possible competitive economic effects). x The application must also be reviewed by the Commission’s independent Advisory Commission on Reactor Safeguards (ACRS). x The NRC staff prepares an environmental statement that is issued for public comment. 67 x A public hearing on the application is required before one of NRC’s atomic safety and licensing boards (ASLB). An ASLB is comprised with 3 members, two of which have technical backgrounds and one who is lawyer. Typically, an ASLB is chaired by the lawyer, who is expected to deal with legal and procedural issues. x During this process, the Commission may issue a limited work authorization (LWA) to permit certain site preparation and initial construction activities on a “reasonable assurance” that the plant will meet safety and environmental requirements. x After the public process has been completed a final safety analysis report (FSAR) is prepared, setting forth details justifying the issuance of the license. x Under the Part 52 process, the Commission may issue an early site permit (valid for 10– 20 years) and a standard plant design certification (valid for 15 years). A number of sites in the USA have received early site approval. Also, several standardized plant designs have been certified. A hearing is mandatory under Part 52, after completion of the ACRS and NRC staff reviews. An important benefit of the combined Part 52 license is that issues resolved in early site permit or design certification proceedings cannot be considered at the combined license stage. Even in the absence of applications for new nuclear power plants, the NRC has been confronted with important licensing issues. The first of these is license renewal. Nuclear plants in the USA were originally licensed for 40 years. A number of operating plants are now approaching the end of their license terms. This raises the issue of whether (and if so, for how long) they should be authorized to continue operating. With over one hundred operating reactors in the USA, the NRC anticipates a large number of requests for license renewal. The commission’s regulations in Part 54 of Title 10, Code of Federal Regulations, establish detailed safety requirements for license renewal. The NRC’s primary focus in it license renewal review is on so-called “passive” and “long-lived” structures and components (e.g. reactor vessel, reactor coolant pumps, piping, steam generators, pressurizer, valve bodies and pump casings). A must demonstrate that any ageing effects will not unacceptably effect the safety of the plant. License renewal also requires another environmental review, supplementing the original review, for the purpose of assuring that extended operation will not have unacceptable impacts. A second major licensing issue confronting the NRC is license transfer. Restructuring and deregulation of the electricity industry for economic reasons has accelerated in recent years in the USA. New companies are getting into the business of generating electricity, while other companies are leaving the business or merging into new legal entities. Where a new legal entity takes over an existing nuclear plant, continued operation will require a transfer of the current NRC operating license. For this to happen, the Commission must make a determination that the new operating organization has the technical, management and financial capabilities to operate the reactor safely. Inspection The third key regulatory function is inspection. NRC conducts a wide range of different types of inspections of nuclear reactors, fuel cycle facilities and other users of nuclear material. For nuclear reactors, the Commission inspection programme is primarily conducted 68 through a system of resident inspectors. The Commission has assigned at least two resident inspectors to each site, with additional inspectors for sites with multiple reactors. Resident inspectors continually monitor licensee activities on the site, both obtaining and transmitting early information concerning plant conditions and facility events. The resident inspectors provide direct contact between NRC management and the licensee. They also evaluate what additional inspection activities may be needed that they are not competent to conduct themselves. Many of these special inspection activities are conducted from the NRC’s four regional offices and some from the Commission headquarters. Specialist inspectors from headquarters or regional offices typically cover such as radiation protection, instrumentation and control, earth sciences and fire safety. In terms of overall inspection effort, the NRC spends an average of approximately 3250 inspection hours (about 6 person-years) on each reactor annually. The NRC has also developed specific reactor inspection programmes for the major phases of nuclear power plant construction and operation, including: pre-construction activity, construction permit activity, pre-operational phase, start-up phase, operations phase and decommissioning phase. Outside the power reactor field, NRC also conducts approximately 1700 health and safety inspections of nuclear materials licensees annually. Qualification requirements for NRC inspectors include: a college degree in engineering or physical science, experience in the nuclear industry (except for interns), onsite inspection training, qualification board and certification and periodic refresher training. The NRC provides an extensive training and certification programme for inspectors at its training center in Chattanooga, Tennessee. Much of the training is done through reactor simulators at the training center on full-scope simulators covering most major reactor designs used in the USA. Each NRC inspection is fully documented in a formal report that includes: scope of the inspection and conclusions on the effectiveness of the programme inspected, licensee management and quality assurance programme, strengths and weaknesses of the licensee, compliance with NRC requirements, findings to support conclusions and determinations on violations (generally dealt with in a separate enforcement proceeding). Finally, with regard to inspection, it should be noted that the NRC has recently implemented a new reactor oversight process utilizing a risk-informed, performance-based approach focusing on safety issues deemed of greatest importance. This approach aims at refocusing inspection effort and reducing the burden to both regulators and operators by taking advantage of risk insights. Although it involves the entire range of regulatory activity, it is particularly relevant to the inspection and enforcement functions. This new approach is discussed in some detail in 6.3.1 — NRC’s risk-informed, performance-based assessment programme. Enforcement The fourth key regulatory function is enforcement. The importance of the enforcement function is underlined by the fact that NRC maintains an office of enforcement that is separate from organizational bodies conducting regulatory inspections. Requiring inspectors to justify the need for enforcement action by another Commission body, is not only a check on overzealous inspectors, but encourages full documentation of violations. The objectives of NRC enforcement action are to deter licensees from failing to comply with NRC regulatory 69 requirements and to encourage licensees to promptly identify and to correct any violation of safety significance. Three types of enforcement actions are employed by the NRC: notice of violation, civil monetary penalties and orders to modify, suspend or revoke licenses. Violations are ranked by their significance from severity level I (most serious) to severity level IV (least serious). NRC considers four factors in determining the level of significance: actual safety consequences, the potential or future safety consequences, impact on NRC’s regulatory functions, intent of the violation (e.g. whether the licensee committed the violation deliberately or was merely careless, or did not understand the requirement). In applying its enforcement sanction, the Commission may consider civil monetary penalties for Level III violations (these are routinely used for Level I and II violations). The Atomic Energy Act authorizes the NRC to penalize a licensee up to 120 thousand dollars per day. A more severe sanction would be to close down a facility entirely, an action the NRC is also authorized to do in cases where the public health and safety may be at risk. The amount of a civil monetary penalty will depend on several factors, including: type of licensed activity, type of licensee, severity level of the violation, whether the licensee has been the subject of significant enforcement action in the past two years or past two inspections, whether the licensee should receive credit for identifying the violation, whether the licensee has taken prompt and effective action to correct the violation, whether, in view of all the circumstances, discretion should be exercised with regard to the amount of the penalty. In 1999, the NRC assessed over a million dollars in civil penalties. The money obtained through NRC enforcement does not come directly to the Commission, but it goes to the US Treasury. For serious violations we do have criminal prosecution penalties. For serious, intentional or repeated violations, criminal penalties (e.g. imprisonment) may be applicable. In such cases — extremely rare — the NRC will refer the matter to the Department of Justice for further investigation and possible prosecution. Regulatory research NRC has a very substantial regulatory research programme. The Commission usually refers to its programme as confirmatory research to make clear that its purpose is to support its regulatory mission, not the development or promotion of nuclear energy. The programme has three main objectives: to provide independent information to support regulatory decision making, to assess the potential safety significance of technical issues, and to prepare the NRC to deal with future safety issues arising from new designs and technology. NRC’s research budget, which had averaged about $100 million annually, has been reduced to approximately $70 million in recent years due to government deficit reduction efforts and other circumstances. With more limited resources, current NRC research activities have focused on issues of greatest significance for nuclear safety, including: emerging technologies (e.g. digital instrumentation and control systems), plant ageing issues, decommissioning, operating experience, and risk-informed regulatory approaches. More limited resources have also encouraged the NRC to look for opportunities to conduct cooperative safety research with other nations in joint bilateral or multilateral 70 projects. The NRC maintains a large cooperative programme with Japan, a joint project with Russia, and with other countries. Public information NRC considers public information one of its most important responsibilities. Public confidence in the safety of nuclear energy depends, to a great extent, on the openness and credibility of regulators. NRC maintains a separate Office of Public Affairs that reports directly to the Commission. Each of NRC’s four regional offices also maintains a public affairs office. As discussed earlier, a number of laws require the Commission (and all other US government agencies) to provide a broad range of information to the public, the legislative branch, and to the press and media. Examples of the wide-ranging materials made available by the Commission are provided in the next section of this Section — NRC regulatory guidance. The NRC’s website (www.nrc.gov) provides access to this information in electronic form. Regulatory guidance The system through which the NRC provides regulatory guidance is extremely wideranging and diverse. It should be emphasized that this guidance is not directed solely to licensees. Of course, guidance is essential in achieving an effective regulator-operator interface. However, it is also important to recognize that the regulatory guidance has many stake-holders who seek to review this guidance and to utilize it for their purposes. Such stakeholders include: local and state governments having important roles in the regulatory process; other federal agencies; interest groups (i.e. local community groups, environmental organizations);the press and media; other nations; international organizations; and members of the general public. It should not be ignored that the primary consumers of regulatory guidance are NRCs own employees, who will be expected to conduct their responsibilities consistently with agency policies and standards. NRC guidance ranges from highly formal documents that are strictly binding on licensees and NRC staff, to less formal guidance on general Commission policy. This guidance is also multifunctional, ranging from organization and management procedures, through standards and technical specifications, to inspection and enforcement requirements. This guidance also covers many different subjects. An important feature of NRC’s guidance system is that virtually everything NRC produces as a guideline is publicly available, resulting in a highly transparent process. Finally, another important aspect of the NRC system is that it is a process in constant revision and reinvention. NRC guidance documents are continually reviewed, updated, changed and cancelled accordingly. Before discussing some of the most important examples of NRC regulatory guidance, it may be useful to have a general overview of the types of documentation developed and made available by the Commission. Table VII — Survey of USNRC guidance documents provides such an overview. 71 TABLE VII. SURVEY OF US NRC GUIDANCE DOCUMENTS x x x x x x x x x x x x x x x x x x x x x x x Code of Federal Regulations — Title 10 Regulatory Guides NRC Legislation NRC Inspection Manual ADAMS Federal Register Notices Standard Programme Enforcement Reports Inspection and Assessment Reports Operational Experience Reports Part 21 Reports SALP Reports Technical Reports Administrative Letters NRC Bulletins Generic Letters Information Notices Regulatory Issue Summaries Inspector General Reports Commission Meeting Transcripts Preliminary Notifications Speeches Information Digest It would not be either possible or useful to attempt to describe all of these documents. However, they can be easily accessed through the Internet, to provide a detailed picture of NRC’s regulatory approach. The legal pyramid of guidance documents As in most other nations, the legal pyramid in the USA is comprised of the fundamental law or constitution at the top, regular legislative acts or laws at the next lower level, regulations at a lower level still, with technical standards and regulatory guidance at the lowest level. For the USA, the top of the pyramid is occupied by the US Code Annotated, the official compilation of laws enacted by the Congress. To the extent that these laws sometimes adopt specific requirements that must be applied by the NRC, they could be considered a form of regulatory guidance. Code of Federal Regulations: However, the highest level of material that can be properly considered NRC guidance is probably the next lower level, which is occupied by the code of federal regulations (CFR). The CFR comprises the regulatory enactments of all US Federal agencies. Title 10 of the CFR contains energy-related regulations, including those promulgated by the NRC. These regulations are promulgated through formal agency procedures, typically involving the requirement for public notice and opportunity to comment. Title 10 contains basic standards generally applicable to all NRC licensees, with a range of technical references. The Index to Title 10 is about 4 pages and lists all subjects in the CFR that pertain to the business of nuclear regulation. However, only a few parts of the CFR need 72 special mention here. Examples of those particularly relevant to the regulation of the safety of nuclear reactors include: Part 2 Part 20 Part 21 Part 25 Part 50 Part 51 Part 52 Part 54 Part 55 Part 100 Part 171 rules for licensing proceedings. radiation protection standards. reporting defects/non-compliance. fitness for duty reports. licensing of production and utilization facilities (NPPs). environmental protection. early site permits/standard designs. NPP license renewal. operators licenses. reactor site criteria. annual fees for reactor licenses. NRC regulatory guides: An important category of NRC guidance is regulatory guides (see Table IV, number 2). These are designed to provide guidance to licensees and applicants on implementing specific NRC regulations. They explain the methodologies and techniques used by the staff in evaluating certain problems or accidents. They also provide specific data needed by the NRC staff in reviewing permits or licenses. They inform a licensee what he has to submit for the purpose of obtaining authorization to conduct a licensed activity. The regulatory guides fall within 10 divisions, as follows: x x x x x x x x x x Power reactors. Research and test reactors. Fuels and materials facilities. Environment and siting. Materials and plant protection. Products. Transportation. Occupational health. Antitrust and financial protection. General. NRC inspection manual: Very important document is the NRC inspection manual that is primarily intended to guide NRC inspection staff in regulatory activity. However, it also provides guidance to licensees and public on how NRC conducts its work including procedural and organizational matters. The manual is an internal document, it is not subject to the level of outside review or public participation like the Code of Federal Regulations. NUREG Documents: Somewhat below the regulations and regulatory guides there are reports in a numbered series designed NUREG Documents. The series was begun very early in the history of the Atomic Energy Commission. NUREG Documents are technical reports on subject of broad interest. They are not regulations, nor even mandatory documents, but they provide important on technical subjects of broad interests. They also include directories, manuals, procedural guides for internal NRC use, as well as the proceedings of meetings or conferences on technical subjects. International agreements are also set forth in NUREG Documents. Generic environmental impact reports, which are general statements about the impact of certain kinds of nuclear activities on the environment that are used in the licensing 73 process are also included in this series. Reports about contracts the NRC has negotiated with other organizations are a final category of NUREG. Generic communications: Because they do not fit in any other category, NRC has included a number of documents in a series called “Generic Communications”. The category can include administrative letters to licensees about aspects of their work that are concerned to the Commission. The series also includes bulletins on technical or administrative matters, circulars, generic letters and similar documents (for example, those relating to a common mode problem in a reactor system). Information notices and regulatory issues summaries are also circulated to the public. These concise summaries describe the handling of regulatory issues of particular interest. Inspector General reports: The Inspector General issues annual and semi-annual reports on specific topics providing the reports of his investigations on NRC management practices to ensure efficiency, effectiveness and integrity. This is the important mechanism of the NRC’s internal quality assurance process. The Inspector General may also report on conduct by licensees where that conduct affect NRC regulatory programmes. Inspector General reports are read very carefully on the subject of great interest. Accessing NRC regulatory guidance documents: The first stopping point for anyone seeking a particular NRC guidance document is the agency’s website at www.nrc.gov. The site is a userfriendly clearing-house for the complete range of NRC documentation. In addition to the NRC website, another avenue for research into the Commission’s guidance documents has recently been developed. ADAMS is the acronym for NRC’s new automated data acquisition and management system, an information technology engine that puts every piece of paper in the NRC system into an electronic form that can be accessed by authorized persons. ADAMS will permit rapid access to every aspect of the NRC regulatory guidance system, enabling the Commission to communicate with its licensees, the public and other people. 74 75 Office of the Inspector General Office Nuclear Materials Safety & Safeguards Chief Information Officer Office of Public Affairs Region III Chicago, IL Region II Atlanta, GA Region I Philadelphia, PA Atomic Safety and Licensing Board Office of Secretary of the Commission Office Small Business and Civil Rights Region IV Arlington, TX Incident Response Operations Office of Human Resources Deputy Executive Director for Management Services Office Commission Appellate Adjudicat Office of General Counsel Office International Programs FIG. 11. US Nuclear Regulatory Commission — organization. Office of Investigations Office of Enforcement Office of Nuclear Reactor Regulation Office of Administration Office of State and Tribal Programs Office of Nuclear Regulatory Research Deputy Executive Director for Reactor Programs Executive Director for Operations Chief Financial Officer Office of Congressional Affairs Deputy Exec. Dir. for Materials, Research and State Programs Advisory Committee on Reactor Safeguards Advisory Committee on Nuclear Waste The Commission (5 commissioners) 2.3. LICENSING OF A NUCLEAR POWER PLANT 2.3.1. IAEA approach to licensing The Convention on Nuclear Safety presents in its Article 7 that the legislative and regulatory framework shall provide for a system of licensing with regard to nuclear installations and the prohibition of the operation of a nuclear installation without a license. The license means any authorization granted by the regulatory body to the applicant to have the overall responsibility for the siting, design, construction, commissioning or operation of a nuclear installation. The licence is an official document that authorizes a specified activity or set of activities in connection with nuclear installations and establishes requirements and conditions governing the performance of these activities. Such sets of activities are often: siting, construction, commissioning, operation and decommissioning. Further details concerning licences are given in 5.1.2.5. In this respect, the licence and its set of conditions fulfils several functions: the licence may be the appropriate (and best) means to develop, interpret and complete the legislation/regulation when the latter follows non-prescriptive approach, and it will make mandatory appropriate parts of guides and standards, as well as specific proposals made by the applicant (this is usually the case in a non-prescriptive approach, where the choice of methods or solutions will be based on such proposals and submitted to the regulatory body for approval). The licence could thus fulfil a part of the functions attached to regulations in the case where appropriate regulations are not available. The licence is the final result of evaluation (review and assessment) of the application and formulates the conclusions and decision(s) of the regulatory body relative to it and, as such, it gives the applicant the formal authorization to proceed within the limits set, on the one hand, by the legislation and, on the other hand, by the conditions included in the licence. Licence conditions are always mandatory and have the force of law. They have to be included in the licence either explicitly or by reference or attachment. Licences may include (parts of) legislation/regulation and other relevant documents by quoting, by reference or by attachment. In the licensing process, the licence is at the key-point of starting a new set of activities of the “applicant” and where the “applicant” becomes a “licensee”. The licence with its conditions is a living document: it can be adapted (sometimes it has to be adapted) to a changing situation (e.g. modification of the plant; experience feedback; new knowledge brought by research); it can also be suspended or revoked. Only the regulatory body has the legal power to modify, suspend or revoke a licence. The licensee may request a modification of its licence, but it has to do so through a new application. More detailed guidance on the format and content of licence document is given in 5.1.2.5. 76 2.3.2. Examples of licensing practices 2.3.2.1. USA The current trends in the USA in the licensing and re-licensing of nuclear power plants are presented in 2.1.2.4. 2.3.2.2. United Kingdom In the UK, the NSD as regulatory body grants only one licence at the creation of the nuclear facility. At each new stage in the life of the facility, that means also at each stage of the licensing process, the initial licence will be amended and the set of licence conditions will be adapted to the new stage. The British licence contains a standard set of 35 licence conditions. The NSD can modify a licence condition without delay and without a possibility of appeal. Each nuclear site licence has conditions attached that have the force of law and which place either absolute requirements or require the making of adequate arrangements and compliance with those arrangements. A fundamental feature of one condition is the requirement for the licensee to demonstrate the safety of the proposed operation in a document known as the “safety case”, prior to the start of that operation. Breach of any law, regulation or licence condition is a criminal offence and the offender may be prosecuted in the United Kingdom courts of law. 2.3.2.3. Switzerland In Switzerland, the licence is a general authorization usually for a whole set of activities involving one nuclear facility (nuclear power plant or other nuclear facility including associated radiological aspects) or for a single step in the case of a „small“ project such as a radiochemical laboratory with only aspects of radiological protection. In the case of the nuclear facility, it is the government itself (Federal Council) that has the exclusive competence to grant the licence. A modification of a licence condition needs re-issuing the licence along the licensing procedure, i.e. including consultation and possibility of appeal. However, in case of urgency, the Swiss safety authority (HSK), has the power to issue an order to modify a particular licence condition or even to suspend the licence, but this has to be eventually confirmed by the licensing authority. Within the frame of a valid licence, the HSK defines sets of the licensee’s activities for which its approval is necessary prior to starting specified activities. Upon its approval, the Inspectorate has the competency to give the corresponding authorizations directly to the licensee and does it in the form of issuing “execution permits”. This gives to the Inspectorate a practical and efficient means of controlling the licensing process (e.g. selected parts of construction work; manufacture of important components; assembling and wiring on site; sets of commissioning tests; start up after refuelling or after modification or repair; etc.). 2.3.2.4. Licensing and commissioning of nuclear power plants in Finland [16] In Finland, licensing procedures are presented in the Nuclear Energy Act and Decree. Licensing documents are handled in more detail in Section 4. Applications are sent to the Council of State and the administrative body handling the applications is the Ministry of Trade and Industry. According to the law STUK is the expert body to review the nuclear 77 safety aspects. STUK gives its statement including its stand on nuclear safety and safety assessment report to the Ministry. The siting and construction of a nuclear power plant requires the decision in principle of the council of state stating it is in line with the overall good of society. According to the Nuclear Energy Act, the decision in principle shall be given to parliament for review so that parliament may reverse the decision in principle as such or may decide that it remains in force as given. In the application, one or several plant site and plant type options may be given on which a decision will be made later. In accordance with Nuclear Energy Act, STUK makes a preliminary safety assessment of the application. When preparing the safety assessment, STUK invites comments on the assessment from the advisory committee on nuclear safety and, where necessary, also from other expert organizations. A nuclear power plant construction licence as well as an operating licence is applied for from the council of state. STUK issues statements on the applications for a construction licence as well as for operating licence. The statements are supplemented with safety assessments. When preparing the safety assessments, STUK invites statements on them from the advisory committee on nuclear safety and, where necessary, also from other expert organizations. The prerequisites for granting a construction and operating licence are prescribed in the Nuclear Energy Act. In its safety assessment STUK takes a stand on the fulfilment of statutory requirements as regards the issues to be reviewed by STUK. According to the Nuclear Energy Decree, the various phases of nuclear facility construction may be started only after STUK is satisfied for each phase. STUK exercises detailed control over the construction of the facility. This control aims to ensure that the conditions of the construction licence, the regulations which apply to pressure vessels and the approved plans are complied with and that the nuclear facility is built, also in other respects, in accordance with the regulations issued by virtue of the Nuclear Energy Act. During construction, control is focused on the working methods in particular to guarantee high quality. The licensee shall appoint a responsible manager and his deputy for the construction of a nuclear facility who have approval from STUK for this job. The qualifications required of the responsible manager are presented in the Nuclear Energy Decree. Pursuant to the Nuclear Energy Decree, STUK ensures that the operating organization is adequate and appropriate and that the individuals participating in the use of nuclear energy meet the qualifications required and that proper training is arranged for them. According to the Nuclear Energy Decree, the licensee shall appoint a responsible manager and his deputy for the operation of a nuclear power plant who shall have approval from STUK for this job. Pursuant to the Nuclear Energy Decree, the operator of the facility systems in the main control room of a nuclear facility must have STUK's approval for the job. A trial run is an essential part of a nuclear power plant's commissioning. It serves to demonstrate that the plant is built and operates according to design. The trial run is divided into the following main parts: systems tests, fuel loading and pre-criticality tests of reactor systems, reactor criticality and tests at low power, and tests at various power levels. STUK controls nuclear power plant trial run by reviewing the overall trial run plans and programmes, by witnessing the tests conducted at the power plant and by inspecting the trial run result reports. Nuclear power plant operation is considered to begin when the loading of nuclear fuel into the reactor is started. At this stage, to ensure that the plant conforms to the regulations that 78 apply to it, STUK makes a specific inspection to ensure that the plant and the operating organization are ready for the operation. Reactor loading may be started when STUK has approved the loading application and the reactor and fuel behaviour reports for the first fuel cycle. The reactor may be made critical and brought to a higher power level in conformity with STUK's decisions. When the trial run has ended, the licensee and STUK will carry out an overall assessment of the results. Based on the results of the trial run, also the technical specifications are reassessed. Based on the assessment, the licensee makes any necessary changes which are then approved by STUK. 2.3.2.5. Licensing in Germany: principal parties involved [17] Licensing authorities In Germany there is no central licensing authority like in most countries. The implementation of the nuclear licensing procedure is within the competence of the supreme authorities of the Länder but the Federal Government retains the ultimate legal power and the right to overrule local decisions, if necessary. Thus, the construction and operating licence for a nuclear facility will be granted by the respective Land authority acting as the nuclear licensing authority. There is co-operation between federal supervisory authorities and nuclear licensing authorities. The Supreme Land authorities (ministries), appointed by the Land governments, are responsible for licences and interim decisions in accordance with the Atomic Energy Act as well as their withdrawal and revocation. In general, these authorities are the respective ministries for the environment or economic affairs of the Länder. These authorities also supervise facilities according to the Atomic Energy Act and the use of nuclear fuels outside the facilities. In individual cases, they may appoint subordinate authorities to carry out this task. Federal offices and advisory committees The Federal Office For Radiation Protection (BfS) was established as the sovereign supreme federal authority in Salzgitter in the portfolio of the Federal Minister For The Environment, Nature Conservation and Reactor Safety (BMU). This Federal Office performs administrative tasks in the fields of radiation protection, nuclear safety and the transportation of radioactive substances and radioactive wastes. It supports the BMU in technical and scientific matters and also does research in fulfilment of its tasks. Among other things, the Federal Office for radiation protection is responsible for: x State custody of nuclear fuels; x Construction and operation of plants of the federal government to secure and permanently store radioactive wastes; x The transportation licence for nuclear fuels and large sources, as well as its withdrawal and revocation; x The licence for storage of nuclear fuels outside of state custody. 79 In addition, the Federal Office is the Federal Government Centre for the monitoring of environmental radioactivity and keeps the radiation protection register. The radiation protection register includes data on the radiation exposure of persons exposed to radiation due to their profession, In order to keep watch over the values of the maximum permissible dose as well as data on compliance with the principles of radiation protection. The Federal Export Agency and the customs authorities of the Federal Minister of Finance, respectively, are responsible for licensing the import and extort of nuclear fuels. The following advisory commissions and one co-ordination panel (Federal Government/Länder) are available to the BMU for the purpose of federal supervision of the Länder: x Reactor Safety Commission (RSK). x Commission on Radiation Protection (SSK). x Länder Committee for Nuclear Energy. RSK and SSK prepare recommendations for the BMU concerning special safetyrelated matters in general or on a particular nuclear power plant. The Reactor Safety Commission advises the BMU on all safety-related matters related to nuclear reactors and nuclear fuel cycles. In general, the RSK consists of 18 members who represent the different technical areas of nuclear engineering, as e.g. constructional engineering, measurement and control engineering, reactor physics, systems control engineering and the science of materials. As a general rule, membership is limited to three years and constitutes a personal honorary function without allowing substitution. The members are appointed by the BMU. They are independent and not bound by directives. The Commission on Radiation Protection has the task of advising the BMU in all matters related to the protection against the hazards resulting from ionising radiation. In general, the SSK consists of 17 members who need to have special knowledge of one of the following main areas: biophysics, radiochemistry, radiology and nuclear medicine, radioecology, radiobiology, non-ionising radiation, radiation genetics, radiation protection medicine, radiation measurements technique and radiation protection technique. As with RSK, the SSK-membership constitutes a personal honorary function. As a general rule, the members are appointed by the BMU for a period of three years. They are independent and not bound by directives. The Committee for Nuclear Energy debates and co-ordinates questions related to the application and interpretation of statutes and ordinances pursuant to nuclear law and radiation protection law. With a BMU-representative in the chair, it consists of referees from the other Federal ministries as well as the department heads/functional department referees of the Länder ministries. As an Advisory and Co-ordination body of the Federal government, its decisions are only recommendations, in practice, however the Committee for Nuclear Energy plays an important role. According to the Atomic Energy Act, the construction, operation and possession of nuclear installations are subject to continuous supervision. The supreme authorities of the Länder are responsible for exercising supervisory and control functions, which they may delegate to subordinate agencies, in individual cases. In general, independent experts or expert 80 organizations, namely the technical inspection agencies (TÜV) are involved. In addition, import, export other professional handling and transportation of radioactive material, as well as construction and operation of final repositories for radioactive waste are subject to governmental licensing and supervision. Länder authorities and technical support organizations (TÜVs) Within the regulatory body of a state (Land) approximately 5 to 10 person-years per nuclear power plant unit and year are spent for inspection and supervision. Typically one to three inspectors are in charge of inspections regarding nuclear safety of one nuclear power plant unit. Inspection regarding e.g. radiation protection, often is delegated to subordinate governmental agencies. In addition, supervision for industrial safety and environmental matters, as legally required for all types of industrial activities is carried out by other competent agencies. In general, for all supervisory and inspection programmes independent experts are assigned by the Länder authorities for examination of reports, reported events, calculations, technical specifications, safety assessments for modifications and for conducting or assessing in-service inspections. In most cases, Technische Überwachungsvereine (TÜVs) are assigned as expert organizations. There are several TÜV-Organizations in Germany, historically assigned to and working mainly in the individual Federal Länder. Recent developments go for the formation of larger organizations (holdings, Ltd., Corporate) serving the needs of several Länder. Including non-nuclear inspection programmes (e.g. for cranes, fire protection, pressure vessels), which are also carried out by TÜV-personnel, a total manpower of approximately 30 to 40 man years per nuclear power plant unit each year is spent for inspection by experts. This does not, however, include safety assessments and expertise for major modifications, for which a licence is required. During refuelling outages, the presence of regulatory inspection personnel and experts at the plant is increased. On average, about 30 experts performing inspections and recurrent tests are constantly present at the site during the outage. The inspectors of the regulatory body are in possession of a university degree e.g. engineering, physics, chemical engineering) and have several years of practical experience in industry, research centres, with technical expert organizations or in licensing bodies. Personnel of technical expert organizations (TÜV), who are contracted as experts hold university degrees in technical fields or technical engineering degrees. For special inspections, e.g. pressure vessel inspection according to the pressure vessel regulation ordinance, state authorized and licensed inspectors are assigned, also within the TÜV organizations. The inspectors are trained in professional courses, symposia, workshops, simulator training courses and, as guests, during actual operation of nuclear facilities, and by exchange of experience. The inspectors authorized by the supervisory authorities, as well as experts consulted by them, have access to the nuclear installations, and may carry out necessary examinations and request pertinent information. To implement their respective tasks, the staff of the federal ministries and agencies and of the Länder authorities as well as their material expenses are budgeted within the Federal and the Länder governmental annual budgets. There are also budgets for research on nuclear safety and radiation protection. According to the basic principles of the administration cost act, fees are levied for all administrative actions in favour of individual persons or private companies. In the case of 81 licensing and supervision of nuclear installations, the Atomic Energy Act provides the regulation for the charging of costs, including fees and expenses, to the applicant or the licensee. Details on the respective fees are laid down in the atomic energy act cost ordinance. For example, the fee for granting a construction licence for a nuclear power plant is set to 2/1000 of the construction costs of the nuclear licensed part of the plant. For other licensing decisions, fees may range from 1000 to 1 Million DM. In addition, fees for conducting inspections and measurements are fixed. These fees shall be based on the actual expenses and will be invoiced to the licensee. The licensing as well as the inspection authorities may contract experts and expert organizations (TÜV´s) for expertise and conduct of inspections, provided these expenses are justified according to the technical needs and difficulties. The expenses for the experts are reimbursed to the regulatory body by the licensee. Experts In the licensing and supervisory procedure pursuant to the Atomic Energy Act or Radiological Protection Ordinance, the respective authorities may consult experts. Such consultation by the Länder authorities is normal practice. There are either experts organizations (e.g. Technical Inspection Agencies such as GRS) or individual experts. The selection criteria is: technical knowledge, experience, objectiveness, impartiality, neutrality and reliability. The experts are merely “helpers to the authorities” in establishing the facts of the case. They do not have any authority to make decisions. Their opinions are subject to the free evaluation of the evidence by nuclear licensing and supervisory authorities who make the final decisions. The essential questions of the examination in the licensing procedure are: (1) Which requirements are to be fulfilled by systems and components? (2) Can these requirements be fulfilled according to best practices? The Atomic Energy Act, the decrees, the general administrative rules and the so-called technical-scientific regulatory work (as e.g. guidelines, RSK/SSK-recommendations, safety standards of the nuclear standards committee (KTA-Regeln), German industrial standards (DIN-Norms) are the measuring instruments for decision-making. Applicant In Germany, applicants for the construction of nuclear facilities are in general independent companies that go on to operate the facility after licensing, i.e. applicant and operator are one and the same. An exception to this relates to the storage of plutonium and the treatment and final storage of radioactive substances. In this case, the Federal Office for Radiation Protection is the applicant and operator. The manufacturer or supplier of the nuclear facilities, for which the application is made, supports the applicant in drawing up the application documents. Involvement of the public If the licensing authority states that the application, the safety report and the brief description contain all the necessary information for the citizens, the project can be made 82 public. The planned project will be made public by official printed announcement. Usually, this is the official gazette for the Land. However, this measure alone is not sufficient, since the average citizen seldom reads these gazettes. Therefore, it is prescribed by law that the project has to be announced locally by the press published in the area of the facility concerned. After public announcement, the most important part of public participation begins. The application, safety report and brief description are made available for public inspection at the licensing authority and a suitable location near the project site. During the so-called presentation period, written objections can be raised. The term “objection” means any kind of opposition and arguments against the planned project. Thus, there are no formal limitations. The objections, however, have to be confined to the subject of the procedure. If sufficient objections are raised within the set period, a hearing will be scheduled. The Hearing constitutes the conclusion of public participation. This Hearing serves several purposes. On the one hand, the objections raised within the permitted time are discussed to clarify the concerns of those objecting. On the other hand, those objecting shall be granted the right of audience by being given the opportunity to specify their written objections orally. Further, those objecting shall receive information on other, in many cases also contrary, opinions. The Hearing is conducted by a representative of the licensing authority. This person has to arrange the procedure formally in such a way that all aspects are considered. None of the objections may remain non-discussed. Therefore, the leader of the Hearing stipulates the order of the subjects to be discussed at the beginning of the hearing. The licensing authority has to examine all of the aspects presented and must make a decision at the end of the licensing procedure. This is a difficult task because of the often conflicting positions of the different persons involved. 2.3.2.6. Licensing in Germany: legal aspects and procedures of assessment [17] Objective and reason for an assessment According to the Atomic Energy Act a licence may only be granted if the licensing prerequisites are given. This is to be examined by the respective licensing authority which can either carry out the examinations itself or consult experts. Generally, experts are consulted to show whether or not protective provisions have been made against damage due to the construction and operation of the plant in accordance with best engineering practices and if protection against interference and other impacts by third persons can be ensured. If a nuclear facility is built, a separate experts opinion is ordered for each partial licence, as a general rule. Partial licences have to be applied for by the applicant separately according to the Nuclear Licensing Procedures Ordinance. Thus, the applicant determines the number of partial licences, as far as there is a legitimate interest in doing so. Appointment of experts by the authority Pursuant to the Atomic Energy Act, the responsible authorities are entitled to consult experts. In general, these experts come from experts organizations. Foremost among these are Technical Inspection Agencies and GRS. The law, however, also permits consultation with 83 independent individual experts. There are no stipulations regarding special qualification prerequisites by ordinance, but primarily each expert has to possess technical knowledge and must be impartial and reliable. Due to the wide range of technical issues to be clarified when assessing a nuclear facility, the experts consulted may, upon agreement with the authority, confer sub- contracts on additional experts, as e.g. GRS. In this respect, the principles on the allocation of subcontracts by experts of the Länder Committee for Nuclear Energy are to be observed. Documents to be submitted According to the requirements of the nuclear licensing procedures ordinance, a safety report, among other things, has to be attached to the application for nuclear licensing, describing the hazards connected with the plant and the safety measures provided. In 1976 the Home Secretary (the minister responsible for reactor safety at that time) published “advice giving outline criteria for a standardized safety report for nuclear power plants equipped with pressurised water reactor or boiling water reactor”. The publication of the Home Secretary contains guidance for each section of the outline which should be considered when drawing up a safety report. A further list, which is the "collection of information necessary for the examination in the nuclear licensing and supervisory procedures (ZPI), comprises the documents required for the experts opinion, in addition to the safety report, and which also are necessary for the accompanying control. The requisition of documents is stated in thematic order and structured according to submission dates within each subject. The requisition of documents is subdivided into two categories. Documents of category “A” are to be submitted for examination of the licensing prerequisites, and documents belonging to category “B” are related to the fulfilment of constructional requirements or the accompanying control. The ZPI-list comprises about 50 pages and was developed from the experiences gained from previous licensing procedures. In particular cases, deviations from it are possible by non-requisition of single documents stated in the ZPI, or requisition of additional documents. As a general rule, the required documents are to be submitted by the applicants. Assessment criteria The criteria relevant for an assessment can be ordered hierarchically according to the their obligatory character. As a matter of course, the Atomic Energy Act and ordinances belonging to it, as e.g. the radiological protection ordinance, are to be observed as binding. For nuclear power plants, safety criteria and safety-related guidelines are also to be observed. The safety criteria include principles on safety-related requirements to ensure accident prevention according to the Atomic Energy Act. Incidents are listed in the safetyrelated guidelines. If an applicant has based the plant design on this, a licensing authority may regard the accident prevention requirements as fulfilled. All directives inferior to ordinances are not legally binding. In general, however, they represent the “modern most up-to-date science and technology” quoted in the Atomic Energy Act. An expert has to examine this before their implementation. If need be, he has to consider the latest operating experiences or latest research results. 84 The Reactor Safety Commission, the Advisory Body of the Federal Minister for the Environment, Nature Conservation and Reactor Safety, drafted guidelines for pressurised water reactors and boiling water reactors as a basis for their advisory activities. As the Reactor Safety Commission debates all significant licensing decisions and makes recommendations on the respective facts of the case, the RSK guidelines usually also are regarded as assessment criteria. In some areas, e.g. over pressure protection for pressure vessels and steam generators, there are no special nuclear regulations. In this respect, the requirements in accordance with regulations for conventional engineering are to be adapted to nuclear requirements, taking into account e.g. aspects of radiation protection. The nuclear regulatory work is subject to change. It is amended and modified. The safety standards of the nuclear standards committee (KTA-Regeln) for example are examined with regard to their relevance to the current situation every five years. The Technical Inspection Agencies issue loose-leaf summaries for internal use on the nuclear regulatory work entitled TÜVIS (TÜV information systems) to ensure the application of the latest regulations. At present, this loose-leaf collection consists of 18 files and is being revised continuously. An important tool for assessing the safety of nuclear facilities is the application of probabilistic methods. It is recommended in the safety criteria for nuclear power plants under “Principles on Safety Provisions” to determine the reliability of essential safety-related systems and plant components with the aid of probabilistic methods, as a supplement to the deterministic overall safety assessment of nuclear power plants. Currently, these are often applied. Form and contents of the assessment It is the objective of the expert organizations to proceed according to uniform rules regarding the kind and scope of the assessment. For this purpose, when the technical inspections agencies became associated, the head office for nuclear engineering of the technical inspection agency (TÜV-Leitstelle Kerntechnik) decided on a standard outline and a directive for safety assessment requirements for nuclear power plants with pressurised water reactors and boiling water reactors. Further, there is the “General Guideline on the preparation of experts opinions in nuclear administrative procedures” of the Home Secretary issued in 1983. The outline of an experts opinion corresponds to the outline of a standard safety report. According to the guidelines mentioned above, the introduction of the opinion embodies the task and assignment of duties. This is followed by a description of the facts of the case to be examined, all of which are solely based on the application documents. The assessment criteria for the layout of the respective safety equipment put up by the manufacturer are stated in the section “assessment criteria” and are examined with regard to completeness and applicability. The inspections carried out by the expert for the advisory assessment of the facts of the case are stated in the section “description of the inspections”. In the simplest case, it is a matter of comparison with the regulation requirements. Calculations are also carried out by 85 the applicant, sometimes with diverse computer programmes, e.g. in the field of failure analysis, strength, probabilistic or physical design. In many cases, conservative estimates are sufficient to substantiate the experts opinions. The examination of the completeness of supporting material submitted is an important part of the activities of the experts. It has to be examined, for example, whether or not all postulated incidents and the resulting loads have been taken into account. Based on a comparison of the examination results with the safety assessment standards an experts assessment of the facts of the case is carried out. For this purpose, the positive and negative results of the examinations are discussed in detail. Should the occasion arise that a positive overall result can only be achieved by fulfilment of later requirements by the applicant, these requirements have to be worked out carefully in accordance with the results of the experts opinion. These requirements, however, must be feasible. The expert has to sign his opinion personally with the following statement: " hereby declare to have delivered this opinion impartially according to the best of my knowledge and belief and free of pre-decided results'. Licensing steps The nuclear licensing authority not only has to examine the formal and material nuclear licensing prerequisites, but also has to observe other regulations under public law. Even though the authority states that the applicant of the project has fulfilled all nuclear licensing prerequisites as well as all other regulations under public law, and even if the result of the environmental impact assessment was positive for the applicant, the nuclear licence does not necessarily have to be granted. Now, the authority may use its discretion, as the authority is vested with the so-called rejection discretion according to the German Atomic Energy Act. This means that the authority may reject the application even if all licensing prerequisites have been met. Nevertheless, the discretionary considerations have to be reasonable and, in particular, correspond to the specific appropriation in accordance with the Atomic Energy Act. Thus, an arbitrary decision will not be allowed. A “discretion” is only possible if aspects concerning single nuclear licensing prerequisites and other regulations under public law could not have been examined up till then. In general, many aspects and partly contrary points of view are being brought together through the involvement of citizens and authorities. The licensing authority has to consider decision alternatives thoroughly on the basis of these aspects. Rejection of the project application If the licensing prerequisites have not been fulfilled and fulfilment cannot be ensured by additional conditions, the application for construction and operation has to be rejected. Preliminary decision It is possible that the applicant applied for a preliminary decision instead of a licence. It is permitted by law to issue a preliminary decision on special subjects if the granting of a nuclear licence depends on a positive response to special items. Thus, only questions at the 86 preliminary stage of a later licensing procedure will be clarified. By this, the preliminary decision anticipates statements of the later construction or operating licence. It is not prescribed by law which items can be clarified in advance by a preliminary decision. Only the preliminary decision on the plant location is expressly stated. Full licence The full licence for construction and operation of a nuclear facility is the guiding principle of the law. In general, however, such a project is so complex that it cannot be coped with by a single official decision. Therefore, it is common practice with major projects to divide the entire licensing procedure into several steps. The procedure subdivided into several sections, each of them ending with a decision-in -part of the authorities, i.e. the partial licence. Partial licences The stepwise procedure has several advantages. By subdividing the information material into several sections the procedure becomes more transparent. The work can be planned efficiently, thus saving time and costs. Moreover, applicant and licensing authority can each react more flexible in case of particular, small procedural steps. Above all, this manner of proceeding respects the principle of best possible danger prevention and risk precautions as each partial licence must correspond to the state of the art. First of all, an application by the operator for a decision by the authority on partial licensing procedures is required according to the law. For this purpose, the applicant has to demonstrate a legitimate interest in partial licences. The legitimate interest of the applicant consists generally of securing stepwise his considerable investment. The investment risk can be reduced by the granting of partial licences. Legal security is provided insofar as the licensing authority is bound by the licensing decision made. If the facts of the case do not change and the legal situation does not change to the disadvantage of the applicant, the applicant can count on the continued validity of the partial licence issued. The discretionary rejection becomes increasingly limited with each additional partial licence granted until, finally, the applicant has a legal right to the granting of the last partial licence, which is normally the operating licence. Just as with a full licence, the partial licence is a beneficial administrative act. It permits specified actions to be taken such as excavation, construction of the reactor building or installation of vital operational or safety systems etc. Usually, a partial licence involves various conditions and referrals. The partial licence differs from the full licence only by its limited regulatory content. In contrast to a full licence, the partial licence does not permit the complete construction and operation of a plant, but only parts of it. This implies that the nuclear licensing authority has carried out definitively an examination of and judgement on the licensing prerequisites for each partial licence. Preliminary positive overall decision In the end, the total of all partial licences shall be equivalent to the full licence, but this can only be achieved, if the parts fit together. Therefore, the partial licences must be related to 87 each other. The alignment can only be made if the total project as planned by the applicant is kept in view. If, for example, the foundation of the reactor building is licensed by the first partial licence, it is necessary to know the loads on and floor plan of the building. This, on the other hand, requires an adequate knowledge of the components, systems and machines which are to be located in the building. Therefore, a licence for a plant component can only be granted if the licensing authority has clarified the requirements of the total project at the outset. This implies a decision on the basic approval of the whole project. The preliminary positive overall decision represents the necessary linking between the licensed plant component and tie entire plant as planned. Announcement of the decisions The nuclear licensing procedure ends with an announcement of the decision of the authority. The authority has to promulgate its decision and the grounds for it in writing, and, of course, deliver it also to the applicant. In addition, the decision has to be delivered to the objectors as well. Further, the decision will be announced to the public in the official publication gazette and the local newspapers in the area of the plant. If more than 300 persons raised objections, the individual serving of the decision will be replaced by a public announcement. As only the decision together with the instructions for legal remedy will be published, and not the grounds for the decision, every citizen has the right to inspect the entire decision within two weeks beginning with the public announcement at the licensing authority or another office near the nuclear power plant. Upon request, those who object can obtain the decision in writing from the licensing authority. For this purpose, important partial licences — as e.g. the first partial licence or the first operating licence — usually are printed in book form. Additional licences Further to licensing pursuant to the Atomic Energy Act, a series of licences is additionally necessary due to parallel laws. Regional planning procedure The regional planning procedure serves the purpose of examining if and, where applicable, under which conditions the planned nuclear power plant meets the requirements of regional planning. Construction licence procedure All facilities to be built at a nuclear power plant require a licence according to building laws just as for conventional construction projects. In general, several partial construction licences will be granted. The first partial construction licence may not be granted before the first nuclear partial licence has been granted. In some Länder, the nuclear licensing according to the Atomic Energy Act includes the construction licence. 88 Licensing procedure according to Emission Control Act A licence according to the Federal Emission Control Act is required for cooling towers, conventional boiler systems and start-up boilers. Permission procedures according to water law The lowering of the ground water level, the treatment and drawing off of surface water during construction as well as the tapping and discharge of cooling water later during operation, all require permissions according to the water law. Industrial law procedures Reactor pressure vessels, steam generators and all other pressure vessels have to be licensed according to the industrial law, particularly with regard to maintaining industrial health and safety standards. Plan approval procedure According to the Atomic Energy Act, the Länder have to establish land collecting points for the interim storage of radioactive waste produced in their territories and the federal government has to establish facilities for safe custody and final storage of radioactive wastes. The construction and operation of these federal facilities as well as all major modifications of such facilities or their operation are subject to plan approval. The procedure for it is stipulated in the administrative procedure law. An important difference between plan approval procedure and licensing is the placement of all licences and similar official documents under one authority, i.e. the plan approval authority, unless otherwise stipulated by law. Only the regulations of mining and deep-storage law are not subject to plan approval. The plan approval represents an official function with regard to the facility plan. On the basis of a particularly formal procedure, the admissibility of specified facilities with regard to all public interests affected shall be determined. Further, all relationships related to public law between the operator and the persons affected by the plan shall be regulated finally in such a way that the required licences and similar documents subject to other legislative provisions are replaced by the decision of the plain approval authority. The incontestability of the legal continuity of the licence under public law shall be guaranteed by this decision. The procedure ends with the plan approval decision comprising all licences under the respective laws regarding areas of speciality. In contrast to the licensing procedure for nuclear power plants, partial licences are not provided for in the plan approval procedure. A particular regulation with regard to the mining law is stipulated in the Atomic Energy Act. The plan approval does not cover the admissibility of final storage according to the mining and deep-storage law. The decision on admissibility is a matter for the responsible mining authority. In contrast to the plan approval procedure, the mining law procedure is a continuous procedure which is carried out parallel to mine operation. It ends with the shutdown of the mine and, if necessary, the re-cultivation of the premises. 89 2.4. QUALITY ASSURANCE, PERFORMANCE REVIEWS AND SELF-ASSESSMENT IN THE REGULATORY BODY 2.4.1. Quality assurance 2.4.1.1. IAEA criteria for quality assurance Quality assurance plays an important role in regulatory activities. Quality assurance programmes within utilities and their subcontractors and especially the implementation of these programmes is of vital importance to nuclear safety. Simultaneously, the quality assurance programme of the regulatory body itself and implementation of the programme are of great importance. When studying the QA viewpoint of activities of regulatory body the same criteria as presented for nuclear industries is a good starting point. Article 13 of the Convention on Nuclear Safety [11] concerns quality assurance and requires: “Each contracting party shall take the appropriate steps to ensure that quality assurance programmes are established and implemented with a view to providing confidence that specified requirements for all activities important to nuclear safety are satisfied throughout the life of a nuclear installation.” Basic objectives, concepts and principles to ensure the safety of nuclear facilities are presented in the IAEA “Safety Fundamentals” [8]. The Safety Fundamentals document forms a top level publication in the hierarchy of the IAEA Safety Series. Some of those issues concern quality assurance like: “Quality assurance practices are an essential part of good management and are to be applied to all activities affecting the quality of items, processes and services important to safety. Inherent in the achievement of quality is the adoption of a quality assurance programme, which includes the planned and systematic actions necessary to provide adequate confidence that specified requirements are satisfied. Implementation of the quality assurance programme involves managers, performers of tasks, and those responsible for verification and assessment of the effectiveness of the programme. It is not a sole domain of a single group. However, management has the key responsibility to ensure that the programme functions properly and to establish and cultivate principles that integrate quality assurance practices with daily work activities.”and “Quality needs to be verified by a disciplined approach. Thus, quality assurance practices include: x x x x x x x x 90 A detailed analysis of the objectives to be achieved; An analysis of the tasks to be performed; The identification of skills required; The selection and training of personnel; The use of appropriate equipment and procedures; The use of document control and record systems; The creation of a satisfactory working environment; and A recognition of individual responsibilities. The extent and type of quality verification need to reflect the safety significance and nature of the individual tasks. Such verification methods include audits, checks and examinations to ensure that each task has been satisfactorily performed or that any necessary actions have been taken. However, the basic responsibility for achieving quality remains with the performer of the task, not the verifier.” The other QA related criteria presented in the Safety Fundamentals Document are as follows: x Organizations engaged in activities important to safety shall establish policies that give safety matters the highest priority, and shall ensure that these policies are implemented within the managerial structure having clear divisions of responsibility and clear lines of communication. x Organizations engaged in activities important to safety shall establish and implement appropriate quality assurance programmes that extend throughout the life of the installation, from siting and design through to decommissioning. x Organizations engaged in activities important to safety shall ensure that there are sufficient numbers of adequately trained and authorized staff working in accordance with approved and validated procedures. x The capabilities and limitations of human performance shall be taken into account at all stages in the life of the installation. In accordance with the Safety Fundamentals document the quality assurance principles shall be applied in all organizations engaged in activities important to nuclear safety. More detailed IAEA Requirements are presented in [6]. The Requirements document presents basic requirements and principles that in the light of experience and the current state of technology must be satisfied to ensure adequate safety. The main objective is to place emphasis on work results, recognising the responsibilities and contributions of managers, workers and those who assess the quality of work. The purpose of this kind of performance-based approach to quality assurance is to prioritise programme implementation and effectiveness, rather than programme development and documentation. Plenty of other regulations exist for quality assurance programmes (quality systems). A series of ISO 9000 documents is a generally approved and largely used foundation. Further, the regulatory bodies have their own requirements defined in national regulations and safety guides. 2.4.1.2. Quality assurance programmes The quality assurance programme is a component of good management and is essential to the achievement and assessment of high quality of products, services and work processes. To ensure a proper implementation it is important that the quality assurance programme is tailored to an organization by taking into account existing routines and specific features of the organization. The requirements constitute the foundation of a comprehensive quality assurance programme. 91 These basic requirements are divided into three functional categories: x x x Management. Performance. Assessment. 2.4.2. Performance reviews — IAEA IRRT services 2.4.2.1. Purpose The International Regulatory Review Team (IRRT) service provides advice and assistance to member states to strengthen and enhance the effectiveness of their nuclear safety regulatory body [18]. 2.4.2.2. Objective The key objective of an IRRT mission is to enhance nuclear safety by: x Providing the host country (regulatory body and governmental authorities) with an objective review of their nuclear regulatory practices with respect to international guidelines; x Providing the host regulatory body with recommendations and suggestions for improvement in areas where their organization or performance can be improved or falls short of internationally accepted practices; x Providing key staff at the host regulatory body with an opportunity to discuss their practices with experts who have experience of other practices in the same field; x Providing all member states with information regarding good practices identified in the course of the review; and x Providing experts from member states and the IAEA staff with opportunities to broaden their experience and knowledge of their own field. 2.4.2.3. Scope An IRRT mission can review following topics: x x x x x x x x x x x 92 Legislative and governmental responsibilities; Authority, responsibilities and functions of the regulatory body; Organization of the regulatory body; Authorization process; Review and assessment; Inspection and enforcement; Development of regulations and guides; Emergency preparedness; Radioactive waste management and decommissioning; Radiation protection, and Transport safety. 2.4.2.4. Experience The IRRT service was inaugurated in 1989 and four missions were completed in the period to 1994. Since 1997 there has been a much greater demand for the service and during this period missions to Bulgaria, Romania, Slovakia, Ukraine, Switzerland, Slovenia, Czech Republic, Finland, Hungary and China were completed. Pre-IRRT missions to Viet Nam and Indonesia have also been completed. There is now a very high demand for the service. Although the service started with a focus on regulations for NPPs, most missions now include reviews of regulations in the areas of radiation, radioactive waste and transport safety. 2.4.2.5. Recent developments The experience gained during the completed missions and the new Safety Requirements Document on Legal and Governmental Infrastructure have been used to revise and update the IRRT guidelines. Recent work has concentrated on developing the guidelines for the review of radiation safety, radioactive waste management and the interface between the regulatory body and the operator. Follow-up visits are envisaged in the future. 2.4.3. Quality assurance and self-assessment in the regulatory body — an example The basic elements of the quality assurance programme presented in 2.4.1.2. For the internal QA programme of the regulatory body are reflected in the following country specific example STUK (Finland). 2.4.3.1. Management Nuclear Energy and Radiation Protection Acts and Decrees as well as the Decree on STUK define the regulatory framework in Finland. They also set our objectives and basic duties in the legislation. General safety requirements are given in the Decisions by the State Council (i.e. Cabinet of Ministers). Detailed technical and administrative instruction relative to the design, construction, commissioning and operation of nuclear power plants are given in the YVL guides published by STUK. These guides form a practical basis for the regulatory work. Through the YVL guides STUK transfers the legislative requirements to the practical control and inspection related requirements. In addition to the YVL guides STUK has internal guides which define administrative and inspection related practices. The quality assurance programme of Radiation and Nuclear Safety Authority (STUK) consists of many duties and work processes which are defined in several STUK manuals and in the department specific YTV manual. In addition to the legislation and YVL guides work practices are defined in the manuals as follows: x x x x x STUK quality manual; Administration manual; Financial administration manual; Emergency preparedness manual; Communications manual. All of these manuals were established by examining legislation, and considering the expectations and needs of main counterparts. Co-operation modes, requirements for the nuclear 93 YVL guides. The YTV quality manual and the emergency preparedness manual are the main internal documents which regulate actions of regulatory control within the department of nuclear reactor regulation. The organizational structure and individual job descriptions of the nuclear safety control are included in the YTV quality manual. Training and qualification There are training procedures in the YTV quality manual and training manager position in the organization. The inspector training programme has been developed and implemented. Necessary knowledge and skills for performing the duties have been identified. Staff selection methods exists [19]. Document control and records All information exchanged between the regulatory body, other governmental bodies, the operator, its contractors, advisory committees and the regulatory body's consultants and as appropriate, members of the public should be formally recorded upon receipt and stored in a manner that allows for easy retrieval. It is particularly important that documents related to enforcement action can be accessed when required. There is an act controlling archives of governmental organizations. This act requires that each organization must have an archive rule defining necessary activities in registration. It is a folder containing the rule and following appendixes: structure of the register, list of documents which are not registered, registration, detailed structure of the register, handling of secret documents, borrowing of a document from the register, organization, job descriptions, fees of copies, protection of documents, destroying of documents. Concerning nuclear power plants there is a separate substructure for each NPP containing the following headings: NPP administrative control, licensing document control, NPP systems, components and structures according to a system list, trial tests, control of operations of NPP (reports etc.), nuclear fuel, nuclear material, nuclear waste. All these materials are kept permanently, NPP procedures are kept when they are still valid. After the decommissioning of NPP these documents will be sent to the national archives for research purposes. There are some documents which are kept until decommissioning and then 5% of the annual documentation will be sent to national archives. 2.4.3.2. Performance The YTV quality manual includes also procedures to define safety performance objectives as well as annual performance objectives as part of longer term strategy. Working methods which stress quality and satisfactory working environment as well as relationships with the customer groups are also included. When applied to the operating NPP’s, regulatory control contains assessment and inspections which can be divided in three categories as follows: x x x Periodic inspections as specified by STUK in plant specific programmes; Topical inspections to be requested by a plant owner on a basis of YVL guides; Safety re-assessment. The inspections contained in the periodic inspection programme are focused at safety significant functions and processes applied by the utility. The control aims to ensure 94 compliance with the regulations and the plans and programmes approved by STUK, and to assess the appropriateness of the utility activities. Nuclear power plant operation includes activities which can be implemented only after STUK’s approval of the activity has been granted. The approvals are tied to preceding inspections. It is also verified afterwards that the implementation complies with the plans and meets possible regulatory conditions. Requirements and obligations which apply to inspections of different topics are presented in the YVL guides. The important inspections which the operating organization is obliged to request are the inspections of repairs and modifications. For all the repairs of failed safety significant components, as well as for all modifications of the safety systems the operating organization has to present their plans in advance for STUK approval. The plan has to include technical documentation as needed to verify the acceptability of the functional features, structure, and materials of the repaired or new equipment. Also the repair or installation method, quality control, and tests after the work have to be presented. When the work has been completed, the operating organization has to ask for construction and/or commissioning inspections. The safety level of the nuclear power plant is re-assessed after any abnormal event, and the need for corrective measures is considered. To ensure a systematic analysis of the event and its causes, an investigation team by STUK is nominated. The team has to find out root causes of equipment failures and human errors and weaknesses in the performance of the operating organization as a whole. At the end the team has to present a report including recommendations for corrective actions, intended to prevent re-occurrence of similar events. A similar parallel activity is required from the operating organization, and it has to submit its special report for regulatory approval. A thorough evaluation of the situation at the Finnish plants is also done if an event reported from a foreign nuclear power plant is suspected to be of such a nature that it might as well occur in our country. Besides feedback from the operating experience, safety re-assessment is done on the basis of PSA studies and in view of new information gained from safety research programmes. Periodic safety reviews are also carried out, e.g. when operating licences of NPP’s are renewed. In addition to the regulatory control of nuclear power plant operation, STUK maintains its preparedness to act in plant emergencies. In an emergency, STUK is the authority controlling accident management and an expert body providing assistance to the authorities in charge of the rescue services. 2.4.3.3. Assessment The regulatory body should have a system to audit, review and monitor all aspects of its activities such as inspection and enforcement activities to ensure that they are being carried out in a suitable manner and that changes to them that are needed, due to improvements in techniques or otherwise, are implemented. This system should consider among other matters, in the case of inspection and enforcement: x x Inspection guidance and inspection methods; Inspection resource allocation; 95 x x x x x Procedures within the regulatory body in relation to inspection activities e.g. planning of inspections; Procedures for co-ordination of inspection activities with the review and assessment process; Procedures for involving consultants in inspection activities; Recording of documentation; Procedures related to enforcement actions. Effectiveness of the regulatory activities is assessed through normal everyday supervision and through periodical self-assessment reviews where management, organization, work methods, quality of work, communication, human aspects etc. are handled through some systematic review method and where there is a possibility to get feedback internally or from other organizations. Some outside organizations can be used also for independent assessment such as IAEA IRRT services to review regulatory activities. For example in STUK self-assessment project was carried out in 1995–1997. The criteria set for the Finnish quality award (see Table VIII) were used as model in this assessment and via this process strengths and weaknesses of our working methods were identified and relationships with our customer groups were also handled. Topics included leadership, management and analysis of information and data, strategic planning, human resource development, process management, results of performance, customer focus and satisfaction, society and environment related influence. The method is mainly intended for commercial companies but can be used also in analysing governmental organizations. This project provided good information for future development. Also work environment evaluations carried out by external companies as well as communication training sessions have been organized for improving working conditions and atmosphere. The periodic inspection programme is reviewed annually through feedback gained during the previous year. The organizational units and individuals are reviewed through performance appraisals annually or more frequently. Guides and procedures are reviewed once in four years and then new developments and work methods can be written in the new revisions. The IAEA IRRT mission was carried out in STUK in March 2000. The resulting report is provided through STUK Internet home pages. 2.5. PROFESSIONALISM AND TRAINING OF REGULATORY BODY STAFF What is meant by professionalism in an inspector’s work? How can professionalism be developed? These are the key questions for this Section. Inspectors are proud of their profession. To develop professionalism it is essential to realize the essence of the job. For supervisors and training co-ordinators this is particularly important because they transmit their own performance and behaviour through the training they offer to newcomers. What is professionalism? It is clear that professionalism means competence in terms of knowledge and skills, education and experience. But this is not enough. Inspection and assessment must be conducted in an independent and objective manner. Inspectors are not power company people, nor are they opponents of nuclear power. They perform independent 96 inspection work according to the guidelines, procedures and criteria in an objective manner. They communicate in a business-like manner, which means that communication is pertinent and systematic. Because they are inspectors they have a questioning attitude. They do not assume too much, they ask for explanation and clarification from licensees and their representatives. They know this phrase “questioning attitude” also from the safety culture discussions, and they can help to promote safety culture through their questioning attitude. Last but not least their appearance, fitness and behaviour is in accordance with the expected behaviour norms. They have learnt that unsuitable appearance and behaviour may ruin their chance of reaching their goals. This applies also to their inspection work. They affect their counterparts through their appearance and behaviour and may improve their possibilities to carry out inspection and to get better response to their findings. The inspector understands his/her role and duties and knows his/her rights, obligations and responsibilities. The inspector knows his/her powers in inspection work. The inspector has his/her priorities in the right order where nuclear safety is concerned. TABLE VIII. SELF-ASSESSMENT OF STUK ACTIVITIES. THE CRITERIA OF THE FINNISH QUALITY AWARD COVER THE FOLLOWING ELEMENTS: Results of performance x Product and service quality results; x Company operational and financial results; x Supplier performance results. Customer focus and satisfaction x Customer and market knowledge; x Customer relationship management; x Customer satisfaction determination; x Customer satisfaction results; x Customer satisfaction comparison. Leadership x Personal leadership of top management; x Leadership system and organization. Management of information and analysis x Management of information and data; x Competitive comparisons and benchmarking; x Analysis and use of company level information and data. Strategic planning x Strategy development; x Strategies and action plans. Human resource development and management x Human resource planning and evaluation; x High performance work systems; x Employee education, training and development; x Employee well-being and satisfaction; x Results of employee development and management. Process management x Design and introduction of products and services; x Product and service production and delivery; x Support services; x Management of supplier performance; Society and environment related influence x Responsibility for the society; x Management of environmental issues; x Results of environmental management. 97 2.5.1. Regulatory role and duties In the following the Radiation and Nuclear Safety Authority (STUK) is used as an example to clarify the matter. In different countries there are different governmental practices that must be taken into account if applying the ideas. The philosophy of governmental regulatory body (STUK in Finland) is as follows: x x x x x The use of radiation and nuclear energy are useful but potentially dangerous activities; The government needs to find out the acceptability of the activity from the point of view of the society and to ensure safety as well as to control the activity; For this, the parliament passed the law establishing the STUK and giving the rights and necessary sanctions to the STUK; Then the STUK decides what is right on the basis of powers received from the parliament. An inspector’s role and duties in STUK in Finland are as follows: The inspector is a civil servant of the Finnish government; The legislation (Nuclear Energy Act) defines the specific role of the Inspectorate, e.g. the Inspectorate defines safety requirements and the inspectors verify by inspections the fulfilment of safety requirements; The Inspectorate also has a specific role in emergency preparedness. Other laws like pressure vessel and radiation protection laws increase the role of the STUK compared to some other western regulatory bodies. The Nuclear Energy Act defines specific duties of the Inspectorate: x x x x x x x x Handling of permit applications; Control of conditions of permits and specification of detailed requirements; Set safety requirements; Control of fulfilment of safety requirements; Set conditions for the persons involved in the use of nuclear power and study the fulfilment of the conditions; Give expert assistance to other authorities; Perform necessary research and participate in the international co-operation; Refer to decisions and give statements on the base of control. STUK publishes the regulatory requirements in the form of regulatory guides called YVL guides. The guide YVL 1.1 “STUK as the regulatory authority for the use of nuclear energy” [16] presents the forms of control and inspections made by the STUK. For a specific inspector the duties are defined in the job description. 2.5.2. Rights According to the Nuclear Energy Act the inspector has the following rights: x x x x 98 He/she has access to the place of inspection; The inspector can inspect, measure and get samples; He/she gets necessary information and documents, plans and agreements; He/she can give orders, require settlements and reports and have research made. 2.5.3. Obligations In his/her work the inspector must note the following obligations: x Principle of law. In regulatory work we must follow the law; we know the law and the subject matter; we know how to act and what kind of rights we have; we act without delay in an open, correct and honest way. x Principle of equality. All citizens and organizations must be dealt with equally. In similar cases there should be similar solutions. This means that we know possible solutions and the solutions already used. The YVL guides define in many cases the main guidelines. Supervisors must ensure that these are followed. We are open and honest. x Principle of correct aims. When considering a solution it is not acceptable to promote other goals than what is the case. x Principle of proportional sanctions. Sanctions must be in right relationship to an offence. Seriousness of an offence is considered on the base of safety importance: we do not shoot a fly with a gun. x Principle of objectivity. The regulator must be objective and correct. If one is disqualified he must pass the matter to another person. Independence is necessary in regulatory work. A published general attitude may affect the believing on one’s objectivity. x Principle of effectiveness. The taxpayers pay the final bill. We must be careful when using public money; we must work with important matters and our actions must not consume too much time. x Principle of publicity. Generally matters are public. The regulator must be open if the law does not say otherwise. Openness means speed in publishing and correct content. Keeping something secret presumes a decision. Documents under preparation are non-public and STUK may consider if it gives information. There are three reasons for secrecy of documents: threat of illegal activity (terrorism), trade secret and protection of privacy. 2.5.4. Responsibilities In law the inspector has the following responsibilities: x Disciplinary responsibility. The inspector must act according to his/her duties. In the case of failure there are sanctions as warning, dismissal for max. six months or final dismissal; x Responsibility of criminal legislation. Criminal law mentions e.g. the following responsibilities that concern government officials: bribe offence, offence against secrecy of documents and misuse of one’s office; x Responsibility for compensation of loss. If the inspector causes economic loss to the counterpart because of failure in one’s duties caused by purpose or by grave error or by neglect of duties the employer carries the responsibility in the first place but the responsibility may apply to the inspector later. There is also a principle of moderation to 99 be applied in this kind of cases. As an example a serious case in this respect may be if the regulatory body (representative) orders the plant to be shut down without reasonable safety importance. 2.5.5. Relationships with the power company Relationships with the licensee should be clear. An atmosphere of confidence and respect should prevail between the two parties. One should remember that a plant manager has full responsibility for the plant safety. The regulator ensures that operator fulfils this responsibility. Therefore the inspector gets all the information and documents needed for assessment and has right to inspect. It is always good to give an operator a chance to comment and propose a solution for the problem. If needed the regulator has tools for enforcement. E.g. STUK has strong tools at its disposal. However, the strong enforcement tools have not been used in practice. We think that for achievement of a high safety level it is better to motivate people to do good work, rather than to threaten them by fines or other penalties. Especially we want to avoid charges against individuals who have committed errors by mistake or due to shortcomings in training and information provided to them. It is also recognised that the use of legal or monetary penalties does not resolve the structural root causes of the problems. Experience has shown that a very effective way of enforcement is public information about abnormal events at the nuclear power plants. 2.5.6. Professional behaviour How should a professional inspector behave? The inspector conducts inspection and assessment independently and in an objective manner. One listens to licensee representatives carefully so that he/she understands information properly. The inspector communicates in a pertinent and systematic manner. He/she uses moderate language in oral and written communication and avoids extreme expressions. One knows how to handle proprietary information. The inspector avoids negative attitudes and he/she tries to promote safety culture with positive attitudes. 2.5.7. Inspection/auditing techniques Inspection/auditing techniques are a special skill the inspector must have if he/she is going to perform inspections successfully. In the following some key ideas are presented to stimulate your imagination. A suitable technique depends on the type of inspection. Your successful ideas and techniques should be discussed with your colleagues because through experience we learn these things. There are several methods for acquiring information: review of written material, interviews with personnel, direct observation of performance, status and activities, independent testing. Before inspection one must decide what written information to read before going to the plant and what during the inspection/audit. At the beginning of inspection the inspector establishes a good communication with the licensee representative and gives the general overview on the inspection. The inspector takes control of inspection activities: is well prepared; does not assume but asks questions, takes detailed notes, and adheres to plant rules. When performing the inspection one pays attention to detail and gets to the root cause of 100 problems; one verifies and evaluates findings and searches for objective evidence; one should take bigger sample if he/she is unsure of problem scope or existence. When interviewing people one asks open questions avoiding “yes” or “no” answers, e.g. by using words how, who, what, when, why, show me and he/she listens the answers carefully. The inspector does not reveal his/her opinion of the answer and does not compare different organizations. One does not disagree between the team members during the interview and one admits if his/her question is beyond the level of his/her knowledge. The inspector is objective and shows rather positive attitudes than negative and arguing attitudes. If the inspector finds deficiencies he/she gets admission from the licensee representative. Professional attitude in inspection is that the inspector tries to find problems and areas for improvement but leaves finding of solutions to the power company. 2.5.8. Inspection philosophy It is important for the regulatory body to define inspection philosophy — to formulate some kind of inspection programme. In Finland the nature of the inspection programme has been defined in the YVL-guide 1.1. In different countries the inspection philosophy varies somewhat. What functions well in a small country may not be applicable in a big country and vice versa. Therefore it is useful for the inspector to exchange information with colleagues from other countries to get new ideas for developing inspection practices in one’s own country. E.g. there is a working group of inspection practices (WGIP) of the OECD/NEA/CNRA for this kind of information exchange among OECD countries and it has published some useful documents in this respect e.g. presenting the inspection philosophy, organization and practices in different countries [15]. Inspectors should also have some tools to prioritise inspection work. A safety classification document is a useful tool in this respect. Use of PSA is also used increasingly to prioritise inspections. We are nuclear safety inspectors. Therefore the most important viewpoint in inspection for us is nuclear safety viewpoint. From a philosophical point of view the application of basic principles of defence-in-depth concept are central. Inspectors should know the concept so well that he/she even by instinct covers the key points in his/her inspection work. Application of the concept is a good sign of the right safety culture attitudes. Starting from the basic principles of “defence-in-depth” thinking, we should concentrate on the following three lines of defence in our inspection work: x Prevention of failures. x Monitoring or detection of failures. x Making sure that failures cannot recur and mitigation of consequences of failures. Specifically, when operations, maintenance and technical support of NPPs are concerned. Each of these topics leads to more detailed sub-items depending on the topic such as: x For prevention: are there proper procedures and are they used, preventive maintenance programmes, tools and working conditions, briefing and training, QA etc.; 101 x For monitoring and detection: are there proper alarms and alarm procedures, surveillance programmes, testing procedures and criteria, testing lines and measuring devices etc.; x For experience feedback and mitigation: are there proper operational feedback systems and methods, component repair and reliability histories, reactor protection system response, incident procedures, accident management procedures, etc.? When the organizational and safety culture aspects are considered the following key items should be considered: x Policy level commitment. x Managers’ commitment. x Individuals’ commitment. Also in this case each of these topics leads to more detailed subitems to be considered such as: is there a proper safety policy statement, where are the safety topics handled in the documentation (policy level, QA manual, Tech. Specs, respective procedures); what is management and individuals’ opinion on the subject matter: what have they done to minimise the risk, do they support the finding, what are they going to do to improve the situation, why it was possible that the inspector made the finding before they realised the unsafe situation, how often unsafe situations appear, how often inspectors make these findings etc. Our questions and review should be directed in such a way that these aspects will be covered if they are applicable in the inspection in question. If our work reflects these aspects systematically we have good opportunities to promote nuclear safety and safety culture through our work. 2.5.9. Maintaining competence How does a professional inspector maintain competence. One follows the development in his/her technical field of speciality. One keeps up to date with changes in regulatory policy and practices. One develops his/her skills in inspection and assessment to the highest level for being able to develop practices and not only to perform routine work. If this is your goal how do you organize the matter? 2.5.10. Training of inspectors One of the central prerequisites for professionalism is competence i.e. knowledge, skills and attitudes needed for the job in question. The IAEA Requirements for Governmental Organization say that a regulatory body shall ensure that its staff members participate in welldefined training programmes. Continuing training is also required. For well-defined training programmes the regulatory body needs training administration as well as initial and continuing training. Table IX shows the basic elements of regulatory training programme [19]. Organization of training depends on the size and resources of the regulatory body. A small and inexperienced regulatory body needs external international support. A large and experienced organization may be self-sufficient. In any case international information exchange is needed for continuing training to get fresh and new ideas for further development. Examples of regulatory competencies and training activities in a regulatory body are given in [20]. 102 TABLE IX. ELEMENTS OF REGULATORY TRAINING PROGRAMME Basic knowledge x Familiarization with the law and radiation and industrial safety; x Nuclear safety principles and safety culture; x Plant and systems knowledge; x Accident analysis and emergency planning; x QA and organizational matters. Professional knowledge x Regulatory control; x Assessment skills; x Inspection skills; x Job specific training courses; On-the-job training. Communication and management skills x Effective writing skills; x Interviewing skills; x Negotiation skills; x Leadership and team work skills. Continuing training x Refresher training; x Further personal development; x Information exchange and international cooperation. For the well-defined training administration training manager/coordinator as well as training policy and necessary training procedures are needed. Job descriptions are needed for preparing systematic, job specific and individual training programmes. Furthermore training courses, facilities and training materials should be established. In addition to training courses, a systematic approach by using individual on-the-job training guidelines is needed. A good model is provided by the OECD/NEA/CNRA/WGIP through its inspector qualification guidelines [21]. 3. ASSESSMENT OF SAFETY 3.1. IAEA GUIDANCE FOR REGULATORY REVIEW AND ASSESSMENT2 Review and assessment is one of the regulatory body’s principal functions. The size and composition of the regulatory body, including consultants and advisory committees, reflect the extent and nature of the facilities that it regulates and may also vary depending on the phases of the facilities’ life-cycle. When using consultants, the regulatory body carefully defines the terms of reference for the review and assessment. Consultants possess a clear understanding of the regulatory body’s safety objectives. The regulatory body has permanent staff with sufficient competence to manage the work of consultants and to evaluate the quality and results. The use of consultants shall not relieve the regulatory body of any of its responsibilities. In particular, the regulatory body’s responsibility for making decisions and recommendations shall not be delegated. 2 INTERNATIONAL ATOMIC ENERGY AGENCY, Review and Assessment of Nuclear Facilities by the Regulatory Body, GS-G-1.2 (in press). 103 The basic objective of review and assessment is to determine whether the operator’s submissions demonstrate that the facility complies throughout its lifetime with the safety objectives, safety principles and safety criteria stipulated or approved by the regulatory body. The specific objectives of the review and assessment depend on the stage of the lifetime of the facility. Examples of these specific objectives are presented in Table X. TABLE X. EXAMPLES OF SPECIFIC OBJECTIVES OF REVIEW AND ASSESSMENT x To determine whether an operator has the ability and resources to discharge its obligations associated with any authorization granted for any stage of the lifetime of the facility. x To determine whether the chosen site is suitable for the proposed facility, account being taken of the site–facility interaction and, anticipated changes to the site environment during the proposed period of operation, and to recommend to the appropriate authorities requirements on the site surroundings that may be considered necessary by the regulatory body. x To determine, before manufacture, construction, installation or decommissioning, whether the design related, operational or decommissioning related proposals in relation to the facility, and other operator statements and commitments, meet the regulatory body’s requirements, and to impose any further conditions or requirements that may be considered necessary by the regulatory body. x To determine whether the commissioning test programme is complete and contains a well defined set of operational limits, test acceptance criteria, conditions and procedures; whether the commissioning tests can be safely conducted; and whether the test results are adequate for confirming the adequacy of all safety related features of the facility. x To determine whether the operator has a safety management system that meets the regulatory body’s requirements. x To determine whether the operational limits and conditions are consistent with the regulatory body’s requirements, the operational characteristics of the facility and the state of knowledge and operational experience, and whether an adequate level of safety is maintained. x To determine whether the operator’s personnel, in terms of both number and competence, meet the regulatory requirements at all phases of the life-cycle of the facility. x To determine whether proposed modifications to the facility have been conceived and implementation planned so that safety is not compromised. x To evaluate safety reviews performed by the operator including performance indicators. x To determine whether the operator’s statements and commitments regarding decommissioning and closure meet the requirements of the regulatory body. The review and assessment is primarily based on the information submitted by operator. For the thorough review and assessment of the operator’s technical submission regulatory body acquires an understanding of the design of the facility or equipment, safety concept on which the design is based, and the operating principles proposed by operator. The regulator satisfies itself that: 104 the the the the x The available information demonstrates the safety of the facility or proposed activity; x The information contained in the operator’s submissions is accurate and sufficient to enable verification of compliance with regulatory requirements; and x The technical solutions, and in particular any novel ones, have been proven or qualified by experience or testing or both, and are capable of achieving the required level of safety. The regulatory body prepares its own programme of review and assessment of the facilities and activities under scrutiny. The regulatory body follows the development of a facility or activity, as applicable, from initial site selection through design, construction, commissioning and operation to decommissioning. Much of the review and assessment will be connected with specific stages of the authorization process and the depth and content will vary accordingly. Co-operation of the operator is essential to ensure that review and assessment can be carried out in an effective and informed manner. Management of the review and assessment within the regulatory body is an important part of the process. It includes planning, preparing guidelines, developing competence and necessary tools for review and assessment, co-ordinating information exchange and activities internally and externally, keeping a log on documents and actions, making arrangements for liaison with consultants and advisory bodies, monitoring the progress, collating and disseminating the overall findings and reporting the results of review and assessment. 3.1.1. Safety objectives and safety requirements for review and assessment Safety objectives and basic safety requirements specify safety goals or protection levels of performance to be achieved at the facility. However, the regulatory body does not prescribe specific designs, safety management systems or operational procedures. Safety objectives and safety requirements may be developed by the regulatory body itself or adopted from safety objectives and safety requirements developed and published by regulatory bodies in other Member States or by international organizations. If these are to be adopted, a good understanding of their basis and use in other Member States should be acquired, and adaptation may be necessary for specific purposes. In formulating the content and structure of the safety objectives and safety requirements to be used in its review and assessment process, the regulatory body may consider a broad range of sources. Examples of these sources are: National laws and regulations; The requirements and experience of relevant national industries; Technical results and experience of research and development; Expertise and requirements used by other persons and bodies involved in reviewing and assessing similar facilities with respect to technology or safety implications; x Advice obtained from consultants and advisory bodies associated with the regulatory body; x Nuclear, radiation and waste safety standards and guidance as well as other information published, by national and international organizations. x x x x 105 The regulatory body has a clear understanding, at all stages of the authorization process, of the basic safety objectives and safety requirements that will be used for review and assessment. As far as is practicable, these basic safety objectives and safety requirements are communicated to the operator for guidance in preparing its documentation. 3.1.2. Areas for review and assessment This section outlines the areas of review and assessment. A list of the topics to be considered in a review and assessment process through out the life-cycle of a nuclear power plant is given in 3.2. It is important to note that the safety argument presented by the operator should at all phases deal with the full range of topics to an appropriate level. At all stages the operator demonstrates that it is in control of the facility and has adequate organization, management, procedures and resources to discharge its obligations and as appropriate, its liabilities. Site evaluation In considering an application for siting, the regulatory body will tend to concentrate on characteristics of the site and, as appropriate, the interaction between the proposed facility and the site. Site selection for many facilities is initially determined by processes not greatly influenced by highly prescriptive criteria. However, general national policy requirements concerning remoteness, local population density and transport arrangements apply. In all cases, the site of the facility is qualified by review and assessment to determine potential interaction between the proposed facility and the site, and the suitability of the site from the point of view of safety. This site review and assessment may be performed in parallel with the design review and assessment or, as in some member states, may be performed at an earlier stage. Areas of review and assessment that are of particular significance are the impact of the local environment, natural and human made on the facility’s safety and the demands that the facility will make on the local infrastructure. Design, construction, manufacture and installation Before authorization of construction of the facility, review and assessment will be concentrated on the operator’s approach to safety and safety standards and how these have been applied in developing the design. Features such as the physical layout and building of the facility and the key process elements and expected radiation doses should be clearly understood and their effect on the safety of the facility throughout its lifetime are assessed at the design stage. In addition, before authorizing construction, the regulatory body reviews and assesses the operator’s arrangements for control of construction, manufacture and installation activities. Once construction has started, many features of the design can be changed only with great difficulty and at high cost. Review and assessment of the design will continue during construction, manufacture and installation, as the details become finalized. Changes to the authorized design in this phase are analyzed by the operator and reported to the regulatory body which carries out the necessary review and assessment. 106 Commissioning Commissioning can be considered in two stages: inactive, before fissile material is introduced, and active, after fissile material is introduced. Clearly the radiological risks only arise after the second stage has been started and therefore it is normal to make the start of this stage a major step in the regulatory authorization. Both stages of commissioning are carried out against a programme which has been reviewed and assessed by the regulatory body and is capable of testing whether the as built facility meets the stated requirements. The inactive stage of the commissioning is aimed at ensuring that the facility has been constructed, manufactured and installed correctly and in line with the design documentations. Where deviations from this have occurred they have been recorded and it has been shown that the safety analysis has not been compromised. The results of inactive commissioning also confirm the operational features of the facility and lead to the development of detailed instructions for operators that will be confirmed during the active phase. Active commissioning with the introduction of fissile material is a major step in the authorization process. The review and assessment take into consideration the final or ‘as built’ design of the facility as a whole, the commissioning programme and its progress, the organizational structure, the qualifications of operating personnel, emergency planning, the preliminary operational limits and conditions, and the preliminary operating procedures. Where there are deviations from the design parameters, the regulatory body reviews and assesses additional analysis provided by the operator. As the active commissioning processes move closer to completion, review and assessment are concentrated on how the facility is operated and maintained, and on the procedures for controlling and monitoring operation and responding to deviations or occurrences. Before authorizing routine operation, the regulatory body reviews and assesses the results of commissioning tests including correction of eventual non-conformances. The regulatory body reviews and assesses any proposed changes to the operational limits and conditions. Operation For routine operation the regulatory body requires the operator to report regularly on adherence to safety objectives and compliance with specified regulatory requirements, and on efforts made to enhance safety. The regulatory body reviews and assesses the reports and performs inspections to confirm whether compliance with safety requirements is maintained and whether the facility is able to continue in operation. While the need for reassessment may arise in a number of ways, systematic safety reassessments termed periodic safety reviews (PSRs) need to be carried out by the operator at intervals to review the cumulative effects of ageing of the facility and of modifications, and the implications of operating experience and technical developments. The objective is to assess the facility against current safety requirements and practices and to determine whether adequate arrangements are in place to maintain its safety. When a review shows that the facility does not meet current safety requirements, the significance of the shortcoming is assessed and the possibilities of meeting the requirements are considered. The PSR enables the regulatory body to judge whether it is acceptable for the facility to continue to be operated until the next PSR is carried out. 107 Decommissioning Review and assessment of decommissioning covers the decommissioning plant and the procedures and methods to be applied, the anticipated doses, the maintenance of safety and the final state of the facility at the end of decommissioning. An area of particular significance is the safe management of the radioactive waste generated. 3.1.3. Review and assessment methodology The review and assessment process is a critical appraisal, performed by the regulatory body, of information submitted by the operator to demonstrate the safety of the facility. Review and assessment is undertaken in order to enable the regulatory body to make a decision or series of decisions on the acceptability of the facility in terms of safety. Decisions relating to safety are based on the review and assessment of the operator’s submissions, the studies and evaluations performed independently by the regulatory body itself, and the safety objectives and specific safety requirements established by the regulatory body. These safety objectives and safety requirements will themselves be founded on the existing knowledge as represented by the technological developments in all pertinent fields. Decisions of the regulatory body should reflect professional judgement by technically competent persons on the bases of requirements and operational experience throughout the review and assessment process. Review and assessment includes consideration of both normal operation and failures, faults, and events, including human errors that have the potential for causing the exposure of workers or the public or subjecting the environment to radiation hazards. This safety analysis is as complete as possible and one of the initial tasks of the review and assessment is to confirm its completeness. The review and assessment process includes checks on the actual situation at the site and elsewhere to validate the claims made in the submissions. Operators often have external peer reviews conducted for them by national or international organizations. The results of such reviews, if available, could provide the regulatory body with additional insight to the activities of the operator. 3.1.3.1. Review plan for operator’s submissions The operator is responsible for submitting documentation in support of its application for authorization. At each stage of the authorization process the operator will be required to demonstrate to the satisfaction of the regulatory body that the facility can be sited, designed, constructed, commissioned, operated, decommissioned or closed without giving rise to undue radiation hazards to workers, the public and the environment. Any modification to safety related aspects of a facility or activity is subject to review and assessment, with the potential magnitude and nature of the associated hazard being taken into account. For more important submissions by the operator (e.g. safety analysis report) it may be useful for the regulatory body to perform an acceptance review of the documentation. As a result of this acceptance review, an application or submission that is grossly deficient in certain areas is returned to the operator for correction prior to re-submittal. 108 In carrying out a review and assessment of an operator’s submission the regulatory body employs a systematic plan to provide assurance that all topics significant to safety will be covered and that operators with similar facilities are treated equally. This plan includes a series of procedures that the regulatory body follows for all aspects and topics covered by the submission in order to identify those items for which applicable safety objectives and requirements have been met and those for which they have not. An outline of such plan could be: x Definition of the scope of the review and assessment process; x Specification of the purpose and technical bases for the review and assessment process (these could be considered as acceptance criteria); x Identification of the additional information needed for the review and assessment; x Performance of a step by step review and assessment procedure to determine whether the applicable safety objectives and requirements have been met for each aspect or topic; x Making decisions concerning the acceptability of the operator’s safety arguments or the need for further submissions. Bases for decisions The regulatory review and assessment will lead to a series of regulatory decisions. At a certain stage in the authorization process, the regulatory body takes formal actions that will result in either: x x the granting of an authorization which, if appropriate, imposes conditions or limitations on the operator’s subsequent activities; or the refusal of such an authorization. The regulatory body formally records the basis for these decisions. At many stages during the review and assessment process decisions are taken on the acceptability of various aspects of the facility. The nature of these will vary during the lifetime of the facility and some will be associated directly with stages of the regulatory authorization process. The regulatory body recognizes the basis for such decisions that take account of a number of factors, important among these are: x The extent to which the safety objectives and requirements have been met; x The acceptability of the depth and detail of the operator’s submission, with the nature of the facility and the magnitudes of the risks it presents; x The state of knowledge concerning particular processes or effects; x The confidence in the conclusions reached on the basis of the analysis of the situation. 109 These factors are an integral part of the review and assessment process and receive special consideration in the documentation produced by the regulatory body. The decisions on acceptability are taken against a background of safety objectives, precedents and judgements, the basis for which should be clearly understood. The decision on the safety of the facility, for example, will always be taken in the light of a requirement to fulfil certain obligations. These will include operational limits and conditions and obligations in respect of maintenance programme and the frequency of in-service inspection or acceptance criteria for radioactive waste. 3.1.3.2. Conduct of review and assessment The general aim of the regulatory review of safety analysis report, whether deterministic or probabilistic, is to verify that for each identified barrier the safety measures are sufficient to provide adequate assurance at the following levels: x Prevention of failure of the barrier itself and prevention of failure of related systems during normal operation and in fault conditions; x Monitoring of any parameter significant to the integrity of the barrier, to allow initiation of either manual or automatic actions in order to prevent any evolution towards an unsafe condition; x Safety action to prevent or limit the release of radioactive material if the barrier has failed; x For certain applications and depending on the associated risk, mitigation of consequences. From this analysis, the requirements on the systems, structures, components and operations can be derived and compared with the provisions made by the operator. The review and assessment by the regulatory body ensures that the operator has used the safety analysis to determine these requirements and that the requirements are met in the equipment and operational procedures. These requirements should cover also, among other things: x x x x x x x x Application of the defence in depth principle; Meeting the single failure criterion for safety related systems; Requirements for redundancy, diversity and separation; Preference for a passive over an active or operator based system for prevention and protection; Criteria relating to human factors and the human-machine interface; Dose limits and amount of discharges to the environment and ALARA consideration; Criteria for radiological risks to workers and the public; Minimization and management of waste generated, including the future decommissioning phase. Structures, system and components From this analysis, the requirements on the structures, systems, components (SSCs) and operations can be derived and compared with the provisions made by the operator. The review and assessment by the regulatory body ensure that the operator has used the safety analysis to 110 determine these requirements and that the requirements are met in the equipment and operational procedures. Specific features that are subject to review and assessment include: x Safety functions and classification of SSCs; x Quality of engineered features in terms of good engineering practices or as set out in the regulatory requirements; x Control of the facility under normal and fault conditions, with account taken of automatic systems, the human-machine interface and operating instructions; x Quality assurance covering SSCs and operational aspects such as training, qualification and experience of the operator’s personnel and the safety management system. Organization and management A well engineered facility may still not achieve the required level of safety if it is not managed well. The review and assessment by the regulatory body, therefore, include consideration of the operator’s organization, management, procedures and safety culture which have a bearing on nuclear, radiation, waste and transport safety and the operation of the facility. The operator demonstrates by documentary means that there is an effective safety and the operation of the facility. The operator demonstrates by documentary means that there is an effective safety management system in place that gives nuclear safety matters the highest priority. The review and assessment by the regulatory body cover all aspects of the operator’s managerial and organizational procedures and systems which have a bearing on nuclear safety such as: operational feedback; the development of operating limits and conditions; the planning and monitoring of maintenance, inspection and testing; the production and revision of safety documentation; and the control of contractors. The regulatory body also reviews and assesses the operator’s procedures for the control and justification of changes to the operator’s managerial and organizational procedures and systems that could have an impact on nuclear safety. Operational safety performance The regulatory body reviews periodic reports submitted by the operating organizations, in accordance with established requirements, to monitor the operational safety performance of the facility. Additionally, reports on safety significant events are thoroughly reviewed by the regulatory body to ensure that an effective operational safety experience feedback system is in place, that no safety related event remains undetected, and that corrective measures are adopted to prevent the recurrence of safety related events. At times, when the severity of the event warrants it, the regulatory body may conduct an independent investigation, usually through a team with appropriately selected areas of expertise, to ensure that the event was adequately investigated, the correctness of identified root causes, the adequacy of the implemented corrective and remedial actions taken. The review includes the identification of lessons to be learned and the process of sharing the associated safety related information. Radiological consequences under normal conditions The assessment of routine operation is directed towards the determination of occupational doses and discharges. These consequences will be compared with those limiting 111 requirements and safety objectives approved by the regulatory body, including meeting the as low as reasonably achievable (ALARA) principle. The regulatory review and assessment of the operator’s submission should determine whether it satisfies these requirements and objectives. In the review and assessment, particular attention should be devoted to a number of topics that influence the potential radiological consequence to workers, the public and the environment during routine operation, which include: x x x x x Sources and inventory; Occupational radiation exposure and other topics related to radiation protection; Radiation protection of the public, with all pathways taken into account; Radioactive waste management; Discharge, dilution and dispersion of radioactive effluents. Safety analysis of fault conditions Consideration of fault conditions strongly influences the design limits for the safety systems and for most structure, systems and components (SSCs) needed for the operation of the facility. It will also strongly influence the operational instructions and procedures that operating personnel should follow. In addition, the potential radiological consequences for workers, the public and the environment in fault conditions may be much more severe than those during routine operation. For this reason, the largest part of the review and assessment effort may be expected to be directed to the safety analysis of fault conditions provided by the operator. Safety analysis can be considered as two major steps: x Identification of postulated initiating events (pies) and their frequencies; and x Evaluation of how these pies develop and their consequences. The method used for identification of the PIEs should be systematic, and auditable and as complete a listing of PIEs as possible should be provided. An important feature of the review and assessment process should be to consider whether the operator’s identification method meets these requirements and the operator’s list of PIEs is acceptable as the basis for the safety analysis. PIEs can be grouped in various ways but a commonly used method is to separate them into: x External hazards, which are outside the control of the operator and may result from naturally occurring or human-made causes, such as seismic, an aircraft crash or explosions due to liquid inflammable gas transportation; x Internal faults that result from inherent failures of the facility, such as mechanical or electrical failures or loss of services; and x Internal hazards that result from failures of systems which are within the operator’s control but which are not directly involved in the process, such as fires or spillages of corrosive material. Consideration should also be given to human errors, which may be initiators in their own right or which may exacerbate another fault. 112 It is usual to classify the PIEs identified according to their initiating frequency and the potential consequences to which they could lead. The purpose of such classification is to decide on the level and type of analysis that should be undertaken. The regulatory body should decide which classification and PIE analysis it requires the operator to provide so that it can decide whether its safety objectives and requirements have been met. The nature of the facility and the potential magnitude of the risk it presents will affect these requirements, as well as affecting the depth and detail of the subsequent analysis. A typical classification, based on initiating frequency, would determine: x PIEs that are of high likelihood should be analysed to show that the facility has a robust tolerance of them, by the provision of safety systems or inherent behaviour tending to restore a safe state, to prevent the release of radioactive material or limit such a release to an acceptably low level; x PIEs that are of low likelihood but that have such severe potential consequences (i.e. unmitigated consequences) that the facility should have safety systems to prevent the release of radioactive material or limit it to an acceptable level; x PIEs which do not fall into these groups should also be analysed with the intention of determining whether in totality they make an unacceptable contribution to the total risk, whether the PIEs in the classes defined are at a threshold of escalation of consequences, and whether the emergency arrangements are sufficient. The regulatory body should determine the type of analytical considerations and assumptions to be used in its review and assessment of the operator’s analysis, and should check that these have been taken into account. It is often the case that for those PIEs which may affect the design and provision of safety systems, or which affect the safety requirements on engineering SSCs, a high degree of conservatism is required in the analysis to meet the requirement of demonstrating that the safety of the facility is robust. This part of the safety analysis should be coupled with consideration of the engineering and the operational practices. The regulatory body, as part of its review and assessment, should ensure that all claims made in the safety analysis for the performance of such systems are met in practice. Similarly, the engineering systems should be qualified to meet the functional requirement for which they were designed; for all situations and at all times, and with environmental conditions, ageing and so on taken into account. The analyses of fault conditions and long term safety are usually performed using computer codes. The regulatory review and assessment should include a check that any data, modelling or computer codes used in calculating either the performance of equipment under the conditions indicated by the analysis or any radiological consequences are based on sufficiently well founded knowledge and understanding, and that an adequate degree of conservatism has been employed. As part of its review and assessment, the regulatory body should ensure that the computer codes are based on well understood principles. Computer codes should be validated against experience or experiment that the coding has been done accurately and the input data have been correctly assigned. In many cases the codes will have been used widely both nationally and internationally, and so it will be possible to consider their verification and validity on a generic basis. However, checks should be made to ensure 113 that the code has not been corrupted by modifications and is being used in an appropriate manner. As a complement to the deterministic approach the regulatory body should require an evaluation of the risks arising from the facility. A common method to provide such an evaluation is for the operator to perform a quantified risk analysis or probabilistic safety analysis (PSA). PSA provides a comprehensive, structured approach to identifying failure scenarios and the corresponding damages to the facility and as a last step deriving numerical estimates of the risk to workers, the public and the environment. PSA provides a systematic approach for determining whether the safety systems are adequate, the defence in depth requirements have been met and the risks are as low as reasonably achievable. It is usual in such analyses to use less conservative assumptions and to consider best estimate values. The regulatory body should review and assess the PSA to gain confidence that it has been carried out to an acceptable standard so that the results can be used as an input to the regulatory decision making process. In the review and assessment, it should be considered whether the data used in estimating frequencies and probabilities are sufficiently well founded; whether the bounding of PIEs into groups for analysis, if used, is sound; whether the identification of failure scenarios is comprehensive; and whether the analyses of the facility’s response and consequences are acceptable. The PSA should include a consideration of the sensitivity of the results to uncertainties in data and modelling and the importance of individual events in the progression of the failure scenario. The insights gained from PSA should be considered together with those from other analyses in making a decision regarding the acceptability of the safety of a facility. An important aspect of PSA is that, as well as giving an estimate of risks, it also provides information on whether the design is balanced, on the interaction between design features of the facility, and on where there are weaknesses. These additional aspects should not be neglected by a regulatory body reviewing a PSA when making its decisions. Although a fundamental feature of the review and assessment process is the consideration by the regulatory body of the documentation supplied by the operator, as another necessary part of the process, the regulatory body should also check claims made in the documentation, by means of visits and inspections to the facility. Such verification is carried out by relevant specialists at all stages of the authorization process. These visits will also allow the regulatory body to supplement the information and data needed for review and assessment. Additionally, the regulatory body will be able to improve its practical understanding of the managerial, engineering and operational aspects involved and foster links with appropriate specialists in the operator’s organization. Where the operator provides some central functions away from the facility, visits are also made by the regulatory body to this part of the operator’s organization. The staff of the regulatory body that carry out review and assessment has the right to visit or designate others to visit on its behalf, the operator’s site and, if necessary, to visit contractors’ establishments with the knowledge of the operator. The visits may be a good opportunity to observe the adequacy and effectiveness of the quality assurance systems of the operator, manufacturers and suppliers. It is often very useful for the operator to arrange for those preparing or involved in complex submissions to provide key regulatory assessors with presentation(s) highlighting the main technical issues raised and analytical techniques used. 114 The review and assessment process will invariably involve the production of reports by various experts in the regulatory body and any consultants employed. A document control system for maintaining records of the process is set up which will allow such documents and records to be easily retrieved. It is particularly important to be able to locate the bases of previous decisions, so that consistency can be achieved and any reassessment made necessary by recent information can be more readily accomplished. Review and assessment result in a decision on the acceptability of the safety of the facility that may be connected to a stage in the authorization process. The basis for the decision is recorded and documented in an appropriate form. This documentation summarizes the review and assessment performed, and provides a clear conclusion about the safety of the authorized activity. Typically, the following topics are covered: x x x x x x x x reference to the documentation submitted by the operator; basis for the evaluation; evaluation performed; comparison with regulatory requirements, regulations and guides; comparison with another similar (reference) facility when appropriate; independent analysis performed by the regulatory body staff, or by consultants or dedicated support organization on its behalf; conclusions with respect to safety; additional requirements to be fulfilled by the operator. 3.1.4. Quality assurance in the review and assessment process The regulatory body has a system to audit, review and monitor all aspects of its review and assessment process to ensure that it is being carried out in a suitable and efficient manner and that any changes to the process made necessary owing to improvements in knowledge or techniques or otherwise are implemented. 3.1.5. Topics to be covered by regulatory review and assessment Table XI provides a generic list of topics that are considered part of the review and assessment process throughout the life-cycle of the facility from site selection to decommissioning. Each topic has been itemized; however, addressing all of them does not necessarily mean that every safety aspect has been fully covered. It should be noted that, depending on the facility and on the particular phase of the facility’s life, some of the aspects/topics will be more important than others and the degree of detail necessary may vary. 115 116 Transport of radioactive materials and waste and equipment both on and off the site needs adequate arrangements. The regulatory body reviews and assesses these arrangements and assures itself that all national and regulatory requirements are met. Safety analysis x are properly characterized and compatible with the anticipated nature and duration of storage pending disposal; x can be subjected to regular surveillance; x can be retrieved for further waste management steps. Throughout the lifetime of any facility, operators propose and implement arrangements for waste management. The regulatory body reviews and assesses proposals for on-site treatment and storage to ensure that the processed waste and waste packages are compatible with national strategy, relevant waste acceptance requirements for subsequent waste management steps and regulatory requirements. Specifically, the regulatory body assures itself that the waste or waste packages: Infrastructural aspects x Detailed description of the facility, supported by drawings of the layout, the system and the equipment; x Information about the functional capability of the facility, its systems and major items of equipment; x The findings of tests which validate the functional capability; x The results of inspections of components; x Maintenance records; x Description of the present physical condition of SSCS based on inspections or tests; x Description of the support facilities available both on and off the site, including maintenance and repair shops; x Geological, hydrogeological and meteorological conditions; and x Description of off-site characteristics, including population densities, land use, industrial developments and transportation arrangements (such as airports, and road and rail systems). The following information on the facility and the process conducted are provided by the operator at various stages and used as a basis for review and assessment: Physical nature of the facility and its environment TABLE XI. LIST OF IMPORTANT TOPICS FOR REVIEW AND ASSESSMENT A compilation of the safety analysis and its assumptions; Structures, systems and components important to safety; Limits and permitted operational states; Anticipated operational occurrences; Postulated initiating events for the safety analyses, such as external hazards, internal faults and internal hazards; Description how defence in depth concept is fulfilled; Analytical methods and computer codes used in the safety analysis and verification and validation of such codes; Radioactive releases and radiation exposures under normal operation and fault conditions; The operator’s safety criteria for analyses of operator action, common cause events, cross-link effects, single failure criterion, redundancy, diversity and separation. The information that the operators provide to the regulatory body for review and x It will be in control of the facility; x It has an adequate safety management system to be able to manage and control the facility; and x It has resources available to meet its obligations and liabilities in connection with an authorization. At all stages of the facility’s lifetime, the operator demonstrates that: The operating organization and the management system The impact of the facility is assessed and social and economic issues, land use issues, technical issues such as detailed considerations of geology and hydrogeology, transport routes and protection of the environment are taken into account. Both the anticipated impact and the consequences of fault conditions which are the subject of safety analysis are considered. x x x x x x x x x Throughout the lifetime of the facility, the regulatory body reviews and assesses the information provided by the operator on the facility, in particular the information covering: 117 x x x x x x x x x x x x x A mechanism for setting of operating and safety targets; A policy that states that safety takes precedence over production; Documented roles and responsibilities of individuals and groups; Procedures for control of modifications to the facility; Procedures for the feedback of experience to the staff, including the experience relating to organizational and management failures; Mechanisms for maintaining the configuration of the facility and its documentation; Formal arrangements for employing and controlling contractors; Staff training facilities and programmes; A quality assurance programme and regular quality assurance audits with independent assessors; A system for ensuring compliance with regulatory requirements; Comprehensive, readily retrievable and auditable records of baseline information, operational and maintenance history; Staffing levels for the operation of the facility that take account of absences, shift working and overtime restrictions; Qualified staff available on duty at all times; The operator demonstrates that it has: The operator demonstrates an overall safety management system whereby all activities are controlled to provide an assurance that requirements for quality, safety and the environment are met. This includes having operational procedures. x The structure of the operator’s organization, showing that it has adequate control of the activities of its own staff and its contractors; x A demonstration of adequate resources for appropriately trained and experienced staff, ensuring in-house expertise; x Demonstration of the adequacy of the procedures for control of changes to organizational structure and resources; x The specification and documentation of the duties of staff, demonstrating integration of safety responsibilities into their duties; x Demonstration of the provision or access to a high level of expertise in safety to carry out safety and engineering analysis, and associated audit and review functions; x Demonstration of the adequacy of the provisions for financing continuing liabilities and decommissioning; and x Any proposals for the use of contractors. assessment include: x A list of equipment covered by the equipment qualification programme and a list of control procedures; x A qualification report and other supporting documents (such as equipment qualification specifications, qualification plan); The operator provides: Equipment qualification Formal approval and documentation for all safety related procedures; A formal system for modification of a procedure; Understanding and acceptance of the procedures by management and on-site staff; Verification that the procedures are followed; Procedures that are adequate in comparison with international good practice; Arrangements for regular review and if necessary, revision of the procedures; Clear procedures taking into account human factor principles; Procedures which comply with the assumptions and findings of the safety analysis, design and operating experience; and x Adequate emergency operating procedures. x x x x x x x x The operator demonstrates it has: Operational procedures x Systematic and validated methods for staff selection (e.g. testing for aptitude, knowledge and skills); x Programmes for initial, refresher and upgrade training, including the use of simulators; x Training in safety culture, particularly for managers; x Competence requirements for operation, maintenance, and technical and managerial staff; x Programmes for feedback of operating experience relating to failures in human performance; x Guidelines on fitness for duty in relation to hours of work, health and substance abuse; x Competence requirements for operation, maintenance, and technical and managerial staff; and x A system for consideration of the human-machine interface and design and for the analysis of human information requirements and task workload for the control room and other work stations. 118 Verification that the installed equipment matches the qualification requirements; Procedures to maintain qualification during the installed life of the equipment; Information on mechanisms for ensuring compliance with these procedures; Documentation on maintenance, testing and inspection programme and a feedback procedure to ensure that ageing degradation of qualified equipment remains insignificant; Documentation on an analysis of the effect of equipment failure on other equipment qualification and appropriate corrective actions to maintain equipment qualification; Information on protection of qualified equipment from adverse environmental conditions; Information on the physical integrity and functionality of qualified equipment; and Records of all qualification measures taken during the installed life of equipment. x The system for identifying and classifying safety related incidents; x The arrangements for root cause analysis of incidents, the lessons learnt and followup measures taken; x Methods for selecting and recording safety related operational data, including those for maintenance, testing and inspection; x Trend analyses of safety related operational data; The operator provides details of: Operator’s safety performance x Documented methods and criteria for identifying SSCs covered by the ageing management programme; x A list of SSCs covered by the ageing management programme and records which provide information to support the management of ageing; x An evaluation and documentation of potential ageing degradation that may affect the safety functions of SSCs; x Details of the extent of understanding of dominant ageing mechanisms of SSCs; x Details of the programme for timely detection and mitigation of ageing processes and/or ageing effects; x Acceptance criteria and required safety margins for SSCs; and x Awareness of physical condition of SSCs, including actual safety margins. The operator provides an appropriate programme for the management of ageing of equipment that covers: Management of ageing x x x x x x x x x Feedback of experience relevant to safety from similar facilities and other nuclear and non-nuclear facilities; x Assessment of and actions on the basis of the above experience; x Determining the need for research and development; x The receipt of information on the findings of relevant research programmes; x Assessment of and actions on the research information. The operator provides information of its arrangements for: Experience from other facilities and research findings x Feedback of safety related operational data into the operating regime including records and reports of incidents and accidents; x Analyses of safety performance indicators such as: frequency of unplanned termination of operation frequency of selected safety system actuation/demands frequency of safety system failures unavailability of safety systems annual individual and collective radiation doses to workers trends in causes of failures backlog of outstanding maintenance extent of preventive maintenance extent of corrective maintenance including repair and replacement frequency of unplanned operator actions in the interest of safety and their success rate amounts of radioactive waste generated quantities of radioactive waste in storage x Records of radiation doses to persons on site; x Records of off-site contamination and radiation monitoring data for the site; x Records of quantities and relevant characteristics of radioactive waste generated and stored in the facility; and x Records of the quantities of radioactive effluents discharged. 3.2. COUNTRY SPECIFIC APPROACHES AND EXPERIENCE 3.2.1. Deterministic safety approach — French experience [22] The objective of the licensing process is to determine whether the applicant submissions comply with the safety objectives stipulated or approved by the regulatory body. Prior to checking this compliance, the technical aspects of these safety objectives must be reminded. This presentation is focused on pressurised water reactors of the type developed in France, but the principles are more general in scope. 3.2.1.1. Determination of specific risks Nuclear reactors have two specific characteristics that differentiate them from other energy production installations: x These reactors accumulate a large quantity of radioactive products (Table XII) from which staff must be protected and the large scale dispersal of which to the environment would constitute a major accident; x Significant energy release continues for a very long time, even after reactor shutdown, since it is related to the radioactivity of the fission products contained in the reactor core. Plant safety therefore depends on adequate protection with respect to radiation sources together with their confinement. If the sources are localised in the appropriate areas provided, radiation protection can be achieved by the judicious installation of absorbent shields of a suitable material and thickness. Difficulties arise mainly from dispersal of radioactive products outside the standard localised areas. The possible causes of such dispersal shall therefore be investigated. Radioactive products are, for the most part, produced within the fissile material itself and it is desirable that they remain there until the fuel has been reprocessed in a suitable plant. Correct cooling of the fuel and fuel cladding is therefore essential. TABLE XII. MAXIMUM ACTIVITY OF THE MAIN FISSION PRODUCTS* Rare gases Iodine Caesium * Core, 2 h after shutdown 107 TBq ** 2 107 TBq 107 TBq Spent fuel Primary system Gaseous effluents 106 TBq 106 TBq 2 104 TBq 3 102 TBq 20 TBq 2 102 TBq 900 MW(e) PWR, maximum burnup 33,000 MWd/tU. 1 TBq = 1012 Bq = 27 Ci (Curie). ** 119 It should be pointed out that: x Under normal operating conditions, a nuclear reactor has no “natural” power level. In order to be able to operate for at least a year without refuelling and counterbalance various power-related effects, the core has to contain a quantity of fissile material far exceeding the critical mass at cold shutdown. The power level produced by this material consequently results from combining various parameters which must be controlled from outside; x Under particular operating conditions, the energy released in a nuclear reactor can increase extremely quickly, in an uncontrolled manner and can then only be limited by neutron feedback effects related to temperature rises or fuel dispersal; x Energy released in fuel that was part of a chain reaction cannot afterwards be annulled, even when the reaction is over. In fact, radioactive products deriving from fission must themselves release a certain amount of energy in order to reach a stable state. They do this with a decay period specific to each element which can be very short (less than 1 second), or average (months or years) or very long (hundreds or thousands of years). Although decreasing, the power produced will for a long time be greater than one-thousandth of the rated power and this calls for continuous cooling (Table XIII). TABLE XIII. RADIOACTIVE DECAY POWER Time after shutdown 1 second 1 minute 1 hour 1 day 1 week 1 month 1 year 10 years 100 years 1000 years Percentage of the initial thermal power 17% 5% 1.5% 0.5% 0.3% 0.15% 0.03% 0.003% 0.001% 0.0002% Thermal power produced in MW 500 150 45 15 9 4.5 1 0.1 0.03 0.006 Prevention of specific risks therefore requires: x Efficient control of the chain reaction and hence the power produced; x Fuel cooling assured under thermal hydraulic conditions designed to maintain fuel clad integrity; x Containment of radioactive products in the fuel, in the primary coolant and specifically in the containment building. Maintaining these three safety functions is the key to reactor safety. 120 3.2.1.2. Potential risks, residual risks, acceptable risks Estimation of the risks associated with operation of a nuclear installation requires that a distinction be made, as for all industrial facilities, between potential risks, which would exist in the absence of all protective measures, and residual risks, which remain despite provisions made to prevent accidents and, if an accident occurs, to minimise the consequences. Nuclear safety is specifically concerned with this dual objective. Potential risks are clearly defined by the radioactive substances involved, so that the only difficulties involved concern estimating residual risks, since it is impossible to claim that these can be reduced to zero level. These risks are subject to a double estimation, in terms of the probability of possible accidents and in terms of seriousness, depending on the gravity of accident consequences. The idea of probability arises naturally when problems of safety are broached. The logical and instinctive approach is to ensure that an accident is all more unlikely the higher the risk of serious environmental consequences. It is essential that a very severe accident with major consequences be made highly improbable. This natural approach was the guiding principle in the early work carried out in the field of nuclear safety. The “Farmer curve” (Fig. 12), produced at the beginning of the seventies, shows an authorized area and a forbidden area on either side of a curve plotted on a probability versus consequences graph, with the consequences expressed as radioactive iodine release. Only the symbolic aspect is presented here. Consequences Very serious Forbidden area Authorized area Slight Very rare Very frequent Probability FIG. 12. Relation between probability and consequences. (Farmer graph). The designers of nuclear power plants then engaged upon a thorough study and more precise definition of this curve by matching probability ranges with radiological consequences that could be considered acceptable. A few years later, the safety organizations specified an indicative limit for the maximum accident probability likely to give rise to consequences deemed unacceptable. This by no means implies that situations of even lower probability should receive no attention. It has to be shown that all types of accidents considered credible have been taken into account and are covered by the accident studies performed and that the systems provided to prevent their development or mitigate their consequences, the engineered 121 safety systems built into the installations, effectively enable the safety objectives to be achieved. Safety specialists have progressively developed an entire arsenal of principles, concepts and methods applicable both at the design stage and at the construction and operating stages. These are, firstly, the barriers, secondly the defence in depth concept, which has been gradually extended and is presented in what follows, and thirdly the probabilistic studies. 3.2.1.3. Defence in depth concept Objectives of defence-in-depth Implementation of defence in depth concept contains several levels of protection, including successive barriers preventing the release of radioactive material to the environment. The objectives are as follows: x To compensate for potential human and component failures; x To maintain the effectiveness of the barriers by averting damage to the plant and to the barriers themselves; and x To protect the public and the environmental from harm in the event that these barriers are not fully effective. Barriers When France adopted the pressurised water reactor system this country had already built several major nationally designed installations and perfected an appropriate safety approach, the barrier method. Protection of the public against the consequences of an accidental release of fission products rests on the interposition of a series of leak tight barriers. The French practice considers three barriers (Fig. 13): the fuel cladding, the reactor coolant pressure boundary, the primary containment but it is known that some countries consider the fuel matrix as a first barrier which does not really affect this method. Each of these is examined in detail under three operating conditions: x Normal operation. x Normal operating transients. x Abnormal operating transients. Safety analysis therefore consists of ensuring the validity of each of these barriers and their correct operation under normal and accident reactor operating conditions. This kind of analysis emphasises the progressive nature of safety by distinguishing three successive but interrelated stages: x Prevention. x Monitoring. x Mitigating action. 122 3rd barrier : reactor containment building 2nd barrier : Reactor coolant pressure boundary Steam lines Steam generator 1st barrier : Fuel cladding Primary Claddings pump Pool Pressurizeur Claddings FIG. 13. Main PWR barriers. This barrier method is deterministic, since it attests the possibility of a certain number of accident situations. Applying it during the first 900 MW(e) PWR unit examinations at the beginning of the 1970s revealed certain difficulties. If the definition of the first barrier is simple despite its extent, this is not true for the other two barriers. The reactor coolant pressure boundary is clearly defined within the reactor building. It branches out, however, in a fairly complex manner in the auxiliary buildings. The spent fuel pit has the same function, despite its free surface. The reactor building containment is not the only place containing spent fuel or primary coolant. Delimitation of the third barrier is thus also fairly complex. Finally and most importantly, this succession of three barriers implies one markedly important fact: the steam generator tubes with a considerable total surface area and a very thin wall simultaneously fulfil the function of primary coolant enclosure and containment (second and third barriers). These reflections have contributed to the evolution of safety thinking from the barrier method to the defence in depth concept. This concept in fact includes the barrier method, but enables an analysis of installations to be carried out which is both more comprehensive and more detailed. Levels of defence The defence in depth concept is not an installation examination technique eliciting a particular technical solution, but a method of reasoning and a general framework enabling more complete examination of an entire installation. It was developed in the USA in the sixties and was notably the design basis for the Westinghouse nuclear power reactors. The approach linking successively prevention, monitoring and mitigating action is broadened to cover all safety related components and structures. We shall see that this approach, initially developed for plant design analysis, is also well adapted to operating organization. Before describing the different stages involved, the principle can be simply summarised as follows: Although the precautionary measures taken with respect to errors, incidents and accidents are, in theory, such as to prevent their occurrence, it is nevertheless 123 assumed that accidents do occur and provisions are made for dealing with them so that their consequences can be restricted to levels deemed acceptable. This does not obviate the need to study still more severe situations, the causes of which may as yet be unknown, and to be ready to confront them under the best possible conditions. The approach combines the prevention of abnormal situations and their degradation with the mitigation of their consequences. It is a deterministic method, since a certain number of incidents and accidents are postulated. The defence in depth concept consists of a set of actions, items of equipment or procedures, classified in levels, the prime aim of each of which is to prevent degradation liable to lead to the next level and to mitigate the consequences of failure of the previous level. The efficiency of mitigation must not lead to cutbacks in prevention, which takes precedence. In July 1995, the IAEA International Nuclear Safety Advisory Group adopted a document on this subject INSAG-10, “Defence in Depth in Nuclear Power Plant Safety”, [9]. This document presents the history of the concept since its inception, how it is currently applied and indicates advisable modifications for its application to the next generation of reactors. The defence in depth concept now comprises five levels. The way in which these levels are structured may vary from one country to another or be influenced by plant design but the main principles are common. The presentation below is consistent with the new INSAG document (See Fig. 14). First level: Prevention of abnormal operation and failures The installation must be endowed with excellent intrinsic resistance to its own failures or specified hazards in order to reduce the risk of failure. This implies that following preliminary delineation of the installation, as exhaustive a study as possible of its normal and foreseeable operating conditions be conducted to determine for each major system, structure or component, the worst mechanical, thermal, pressure stresses or those due to environment, layout, etc. for which allowance must be made. Normal operating transients and the various shutdown situations are included in normal operating conditions. The installation components can then be designed, constructed, installed, checked, tested and operated by following clearly defined and qualified rules, while allowing adequate margins with regard to specific limits at all times to underwrite correct behaviour of the installation. These margins should be such that systems designed to deal with abnormal situations need not be actuated on an everyday basis. A moderate-paced process with a computer-based control system will diminish operating staff stress hazards. Man-machine interface provisions and time allowances for manual intervention can make a significant contribution. In the same way, the various disturbances or hazards deriving from a source external to the plant and which the installation must be able to withstand without operating disturbances or, in other cases, without causing significant radioactive discharge, shall be specified. Site selection with a view to limiting such constraints can play a decisive role. In this way, it is possible to determine a reference seismic level, extreme meteorological conditions expressed as wind speed, weight of snow, maximum over-pressure wave, temperature range, etc. The new stress factors thus derived shall be used in the same way as before. 124 Sets of rules and codes define in a precise and prescriptive manner the conditions for design, supply, manufacture, erection, checking, initial and periodic testing, operation and preventive maintenance of all safety related equipment and structures in the plant in order to guarantee their quality in the widest sense of this term. The selection of appropriate staff for each stage, from design to operation, their appropriate training, the overall organization, the sharing of responsibilities or the operating procedures contribute to the prevention of failures throughout plant life. This also applies to the systematic use of operating feedback. On this basis may be defined the authorized operating range for the plant and its general operating rules. Second level: Control of abnormal operation and detection of failures3 The installation must be prevented from straying beyond the authorized operating conditions which have just been defined and sufficiently reliable regulation, control and protection* systems must be designed with the capacity to inhibit any abnormal development before equipment is loaded beyond its rated operating conditions, so defined as to allow substantial margins with respect to failure risks. Temperature, pressure and nuclear and thermal power control systems shall be installed to prevent excessive incident development without interfering with power plant operation. With a plant design procuring a stable core and high thermal inertia, it is easier to hold the installation within the authorized limits. Systems for measuring the radioactivity levels of certain fluids and of the atmosphere in various facilities shall assume monitoring requirements and check the effectiveness of the various barriers and purification systems. Malfunctions clearly signalled in the control room can be better dealt with by the operators without undue delay. Finally, the protection systems, the most important of which is the emergency shutdown system but also including, for example, safety valves, shall be capable of rapidly arresting any undesirable phenomenon, inadequately controlled by the relevant systems, even if this entails shutting down the reactor. Furthermore, a periodic equipment surveillance program enables any abnormal developments in major equipment to be spotted. Such developments would otherwise be likely to lead to failures over a period of time. Periodic weld inspections, crack and leak detection, routine system testing pertain to these preventive surveillance activities. Third level: Control of accidents within the design basis The first two levels of defence in depth, prevention and keeping the reactor within the authorized limits, are designed to eliminate with a high degree of reliability, the risk of plant failure. However, despite the care devoted to these two levels and with the obvious aim of safety, a complete series of incidents and accidents is postulated by assuming that failures could be as serious as a total instantaneous main pipe break in a primary coolant loop or a steam line or could concern reactivity control. This places us in a deterministic context, which is one of the essential elements of the safety approach. 3 Control systems are sometimes included in first level provisions. The INSAG document places automatic shutdown at third level. But these variations make no difference to the general principle. 125 We are then required to install systems for limiting the effects of these accidents to acceptable levels, even if this involves the design and installation of safety systems having no function under normal plant operating conditions. These are the engineered safeguard systems4. Start-up of these systems must be automatic and human intervention should only be required after a time lapse allowing for a carefully considered diagnosis to be reached. In the postulated situations, the correct operation of these systems ensures that core structure integrity will be unaffected, which means that it can subsequently be cooled. Release to the environment will consequently be limited. The choice of incidents and accidents must be made from the beginning of the design phase of a project so that those systems required for limiting the consequences of incidents or accidents integrate perfectly with the overall installation design. This choice must be made with the greatest care as it is very difficult to insert major systems in a completed construction at a later date. Fourth level: Control of severe plant conditions including prevention of accident progression and mitigation of severe accident consequences In the context of on-going analysis of risks of plant failure, such as the accident which occurred at Three Mile Island in 1979, it was decided to consider cases of multiple failure and, more generally, the means required to contend with plant situations which had bypassed the first three levels of the defence in depth strategy or which were considered as part of the residual risk. Such situations can lead to core meltdown and consequently to even higher release levels. The concern here is consequently to reduce the probability of such situations by preparing appropriate procedures and equipment to withstand additional scenarios corresponding to multiple failures. These are the complementary measures aimed to prevent core meltdown. Every endeavour would also be necessary to limit radioactive release due to a very serious occurrence which would nevertheless have involved core meltdown and to gain time to arrange for protective measures for the populations in the vicinity of the site. It is then essential that the containment function be maintained under the best possible conditions. The latter accident management actions are defined in emergency procedures and are outlined in the internal emergency plan and will be discussed in detail in Appendix III. Fifth level: Mitigation of radiological consequences of significant off-site releases of radioactive materials Population protection measures because of high release levels (evacuation, confinement indoors, with doors and windows closed, distribution of stable iodine tablets, 4 For PWR's built in France, these systems are: • the emergency core cooling system • the steam generator auxiliary feedwater supply system • the containment withstanding an over pressure of about 4 bar rel associated with the systems ensuring internal spraying, the automatic isolation of penetrations, containment atmosphere monitoring and, in the case of double-wall containment, depressurization of the annulus. 126 restrictions on certain foodstuffs, etc.) would only be necessary in the event of failure or inefficiency of the measures described above. So we are still in a defence in depth connotation. The conditions of this evacuation or confinement are within the scope of the public authorities. They are supplemented by the preparation of long or short term measures for checking the consumption or marketing of foodstuffs which could be contaminated. Such measures are included in the external emergency plans. The decision to implement such measures will be based on analysis of the situation by the operator and the safety organisms and then on environmental radioactivity measurements. Periodical training drills will also be necessary in this area to ensure adequate efficiency of the resources and linkups provided. Elements common to the different levels Defence in depth can only be satisfactorily implemented if care is taken at each level to ensure: x appropriate conservatism; x quality assurance; and x safety culture. The notions of conservatism and safety margins, very closely linked with the deterministic approach, apply more to the first three levels of defence. Severe accidents, on the other hand, generally require a less conservative approach, and realistic assessment is preferable when population has to be protected against substantial radioactive release. Each level of defence can be effective only if the quality of design, materials, structures, components and systems, operation and maintenance can be relied upon. Finally, all parties actively involved in plant safety, whether they are operators, constructors, contractors or members of safety organizations, must be thoroughly versed in safety culture. General comments The notion of successive levels of defence implies that these levels are as independent as possible. It will consequently be very important to ensure that the same event or failure, whether single or multiple, could not affect several levels simultaneously, thereby calling the entire approach into question. This would be the case, for example, if a specific failure inhibited the systems provided to limit the consequences of the event considered. Safety system reliability must be adequate. Special design, layout and maintenance rules are applied to them. The fourth level was set up to fill in the gaps revealed in the situations envisaged prior to 1975. This level thus covers measures for the prevention of substantial core meltdown that ought to have been included in the third level, and provisions for the management of more severe accidents that fit better into this stage in the phasing of preventive actions. 127 Mitigation of radiological consequences of significant off-site releases of radioactive materials Control of severe plant conditions including prevention of accident progression and mitigation of severe accident consequences Control of accident within the design basis Control of abnormal operation and detection of failures Prevention of abnormal operation and failures Conservative design and high quality in construction and operation Control, limiting and protective systems and other surveillance features Engineered safety features and accident procedures Complementary measures and accident management Off-site emergency response FIG. 14. The defence in depth concept: purposes, methods and means (INSAG-10). Until recently, levels 4 and 5 were combined in one level. In accordance with the logic of the defence in depth concept, the need for protective actions with respect to populations in the vicinity of the site effectively corresponds to the failure, or relative failure, of the measures taken at the previous level. There must consequently be a differentiation between the two levels involved. The efficiency of these principles and methods would be limited if the quality assurance of all activities involved in the design, supply, manufacture, erection, tests and inspections, operating preparations and the actual operation itself were not fully ensured. This depends on the motivation of all concerned and implies appropriate organizational procedures. Obviously, the quality assurance process is more difficult to apply in the very disturbed situations covered by the severe accident management but mentioning this idea even in this case is recalling the need of well structured decision making process and methods to be prepared for such situations. 3.2.1.4. Defence in depth implementation in operation [22B] As mentioned, the defence in depth concept is fully applicable for operational activities and the operating documents as the general operating rules should reflect it in its different Chapters: 128 Level 1: Prevention x Plant organization, staff selection and training; x Normal operation procedures; x Implementation of the technical specifications. Level 2: Surveillance x Periodic testing programme; x Preventive maintenance programme; x Incident detection and analysis. Level 3: Mitigation x Incident and accident procedures. Level 4: Accident management x Beyond design basis accident procedure; x Internal emergency plan (links with external emergency plan). Level 5: Emergency response x External emergency plan. 3.2.1.5. Postulated initiating events [22B] The defence in depth concept implies that postulated incidents and accidents are examined by varying the safety functions over a range of possibilities: x Criticality control (controlling the power); x Residual power removal (cooling the fuel); x Radioactive products containment (confining the radioactive material). The design basis incidents and accidents are chosen to be the most penalising cases enveloping a family of events of equivalent classes of estimated frequency. Historical survey The scope of foreseen situations has evolved over the time thanks to the continual search for safety improvement, better safety studies and operating experience. At the beginning of the 1970s, plant design was based on a three-level defence in depth concept: good design, good surveillance provisions and engineered safeguard systems to limit the consequences of postulated accidents. These incidents and accidents were assumed to be due to single failures associated with conventional failure conditions (single failure, earthquake, loss of external power). Apart from the fuel handling accident, all the scenarios were assumed to occur during power operation. Duplicating safety related systems was considered sufficient. In the mid-1970s, probability studies of total failure of these systems and the associated consequences showed that duplication was not an entirely satisfactory solution, with the result that provision was made for complementary measures to contend with these multiple failures. 129 This applies mainly to the scram system, the electrical power, the steam generators feed water and the ultimate heat sink. In 1979, the Three Mile Island accident demonstrated that cumulated human and equipment failures could lead to far more serious consequences than those considered at the design stage, without calling the overall approach into question. Considering single initiators or identified multiple failures on a single function was no longer sufficient. Operating procedures were then reviewed and vastly modified. This was followed by the development and integration of systems capable of limiting the probability and consequences of severe accidents. In 1986, the Chernobyl disaster, although it occurred in a reactor of totally different design to those used in Western Countries, nevertheless highlighted the organizational difficulties raised by a severe accident situation (long term release period, consideration of caesium and strontium, difficulties and drawback of population relocation, insufficiency of the rate of induced cancer to characterise the effects on the population). Moreover, this accident led to a review of reactivity accident provisions, with the gradual discovery of several significant scenarios that had not been previously identified and the subsequent implementation of requisite preventive measures. Meanwhile, the publication of probabilistic safety studies demonstrated risks related to outage situations, seeming thus to confirm trends suggested by operating feedback and the weight (positive and negative) of the human factors. Worldwide operating experience shows time after time additional unexpected potential scenarios and the inadequacy of some initial assumptions (an observed SG tube rupture frequency 10 to 100 higher than expected). Over the same period, consideration of internal and external hazards was progressively extended. Consideration of traditional lists of incidents and accidents is needed but insufficient. “Excluded” scenarios Some scenarios cannot be treated along the line of defence in depth as no efficient engineered safety systems are able to control the situation, to prevent core degradation, to mitigate the radiological consequences. It is the case when the initiating event induces the simultaneous destruction of the containment capability Typical examples are: x x x x Sudden rupture of the reactor vessel; Steam line break between the containment and the main isolation valve; Steam generator outer shell rupture; Severe criticality accidents. They must be identified and recognised in order to be excluded thanks to convincing prevention and surveillance measures. 130 3.2.1.6. Accident analysis [22B] A formal incident and accident analysis process is needed as a part of the safety demonstration. It includes several items that could be summarised as follows. Choice of pessimistic initial conditions For each scenario the initial conditions should be the worst authorized ones for the studied phenomena, with uncertainty margins such as: x Maximum fission products or primary coolant contamination; x Minimum temperature coefficient (beginning of life) for heating effects like control rod withdrawal; x But maximum temperature coefficient (end of life) for cooling events like steam line rupture. Implementation of the single failure criterion This Convention is designed to provide adequate reliability to the engineered safety features. Special care is needed with 2 × 100% solution for maintenance and any unavailability. The single failure criterion can be threatened by any common cause failure such as fire, flooding or human intervention. Segregated lay-out is needed associated with protective measures and intervention procedures. Conventional loads and conditions combinations The loss of external power sources is added to each abnormal occurrence, incident and accident with addition of the safe shutdown earthquake SSE at least for the largest breaks. Appropriate and established design margins Design and construction codes should fix the level of adequate margin associated with testing methods. Prevention of accident degeneration An incident should not induce another incident of the same category or degenerate in an incident of the following one. The physical effects and mechanical loads due to an accident should be considered to avoid additional consequential failures. Human intervention grace period Automatic devices should be sufficient to manage the design basis accidents during at least 20 minutes to decrease the adverse stress effects on the operators. 131 Calculation of radiological consequences For the design basis accidents these calculations are based on noble gas, and iodine with very pessimistic transfer coefficients (mainly for iodine although there are very large differences from one country to another). The assessment assumes that people are living close to the plant fence and submitted to a unique plume passage (2 hours). Acceptance criteria are based on health effects on man (increase of fatal cancer rate). The Chernobyl accident showed the limits of this approach for severe accidents and for the preparation for external countermeasures. The source terms should be evaluated through more realistic methods but still be conservative and cover more radioactive materials like caesium or strontium and with potentially longer releases. Acceptance criteria are based on ICRP publication N° 63 and consider life disturbance such as people displacement or soil and foodstuffs contamination. 3.2.1.7. Internal and external hazards [22B] Internal and external hazards that are not initiating events should not induce such failures. In addition, they should not decrease the potential of engineered safety system to act properly when they are needed which requires specific care for the prevention of common mode failures. A typical list of internal events is: x x x x x x Missiles from inside the containment. Results of piping breaks. Turbo-generator bursting. Protection against load dropping. Fire protection. Internal flooding. A typical list of external hazards to be considered as appropriate: x x x x x x x x x Earthquakes. Soil movements. Volcanoes. Aircraft crashes. Explosions. Fires. Toxic or corrosive gases. Floods. Meteorological hazards (wind, snow, hurricane, tornado, extreme temperature). Probabilistic evaluation can be used for some internal and external events like turbine missile, aircraft crashes and explosions that need the definition of an indicative threshold. An annual probability value of 10-7/plant for “unacceptable consequences” is used in some countries. If needed and to avoid difficult demonstrations, the protection of the equipment is provided by the capability of the related buildings to withstand the impact in defined 132 conditions. Most of internal and external hazards are coped with by preventive measures but fires are treated by prevention, surveillance and mitigation. 3.2.2. Assessment of modifications — German and Finnish experience The operating organization is responsible for plant modifications as it is for the initial design. As a minimum, any modification that modifies the initial design approved during the licensing process requires an authorization. 3.2.2.1. German classification of modifications [17] The scope of permitted activities is stipulated in detail by additional conditions in the nuclear licences. Under which conditions and in which way modifications of the plant and its operating mode are to be made is particularly laid down in the Atomic Energy Act (AtG) and in the licences. This concerns not only modifications of the system design but also modifications of the operating mode and organization of the plant. It is stated in Paragraph 7 of the Atomic Energy Act that not only the construction and operation of nuclear facilities are subject to licensing, but also major modifications to it. The proceedings in this respect are the same as those applied for licensing of construction or operation. Details are stipulated in the Nuclear Licensing Procedures Ordinance (AtVfV). Major modifications, which are subject to licensing therefore, are in general modifications: x Leading to a considerable change of activity release during normal operation or during incidents; x Leading to an increase of the allowed activity inventory of the plant; x Leading to a change of the maximum permissible reactor output; x Concerning the basic design features of the plant or its operation; x Extending the licensed use of nuclear fuels or the handling of radioactive substances; x Connected with significant structural changes. Modifications subject to licensing are to be published and debated in public before the granting of a license if the impact of the plant on the environment may be changed or increased following such modifications. By this, the citizens concerns are informed about the planned modification and are enabled to raise objections or to bring an action against the license. The general public is not involved in case of insignificant modifications, i.e. modifications not subject to licensing. In the operating licences of nuclear facilities, it is in general stipulated by additional conditions that also modifications not subject to licensing have to be reported to regulatory authority and may only be carried out within the scope of a prescribed modification procedure. In most cases the modifications are categorised according to their safety-related relevance: 133 x Modifications having an impact on the safety level of the plant — often denoted as safetyrelevant modifications — in general are subject to approval by the regulatory authority and can be made contingent upon the fulfilment of specified requirements. x Modifications having no impact on the safety level of the plant — safety-irrelevant modifications — can be carried out autonomously by the operator according to plant internal specifications without special approval of the supervisory authority. These modifications have only to be reported to the regulatory authority and the experts consulted to verify the correctness of the categorisation. x Insignificant modifications as well as editorial changes of written internal regulations may be performed according to internal specifications without advance information of the regulatory authority and the authorized expert. The definition of the different categories of non-significant modifications is somewhat unclear and is stated differently by each responsible regulatory authority so that only a rough characterisation can be made: x Safety-relevant modifications are those of safety systems or other systems relevant for the nuclear safety and radiation protection, or they are safety-relevant if by the modification there are potential negative impacts on such systems. x Not relevant for the safety are modifications to non-nuclear systems as far as there are no potential impacts on nuclear systems. x Insignificant modifications are minor modifications in areas without nuclear safetyrelated relevance. x Editorial changes are changes to written internal instructions that do not affect the factual contents of the instruction. Implementation of modifications Safety objectives of a modification should be proposed by the operating organization or can be notified by the regulators. Technical solutions are always the responsibility of the operator. Any modification should: x Take into account any available information related to any relevant incidents, gathering as many of them as possible; x Take into account the initial design basis in order to avoid loss of initial characteristics; x Be easy to test in a representative manner; x Be tested as long as needed; x Be integrated in plant documentation and in operating staff training. 134 A significant change in operating conditions like an increase of the fuel burn-up rate should be studied like a significant modification and justified by the applicant to the safety authority. Subsequent difficulties should lead to a complete reassessment of the modification justification and testing. 3.2.2.2. Assessment of system modifications in Finland [23] A system pre-inspection is carried out in the form of an assessment of the preliminary and final safety analysis reports and the related topical reports during the construction phase. During the operation of a nuclear installation, a system pre-inspection of plant modification can be conducted on the basis of separate system pre-inspection documentation before the final safety analysis report is changed. Pre-inspection documents shall be submitted to the regulatory body (STUK) for approval at least concerning the modification of systems in safety classes 1, 2 and 3 as well as the modification of systems STUK has earlier requested inspection for other reasons. Modification of systems inspected by STUK earlier are submitted to STUK at least for information. Also an individual component modification which significantly changes a system’s operation or its operating parameters is considered a system modification. The pre-inspection documents of the system modification contain the following: x x x x x Causes and justification for the modification; System design bases; Description of the operation of the system’s modified part; Analysis of the system; Any other reports deemed necessary. The reasons for modifications are always stated and justified. In the basic system design it is stated which guides and standards have been used in design. The design bases include also the following items: x Safety class; x Design parameters (pressure, temperature, flow, chemical environment, requirements concerning leak tightness etc.); x Ambient conditions; x Requirements for structural materials. In the description of the operation of a system’s modified part, the system’s operation during normal operational stages as well as during anticipated operational transients and postulated accidents are described. The modification’s impact on operation is described. The necessary diagrams and drawings as well as the design parameters of the most important components are included in the description of operation. The description shall be extensive enough to contain all information required for a system analysis. The objective of the system analysis is to ascertain that the system operates in conformity with the design and that the modified system meets the requirements set forth in the guides and standards applied in system design. In connection with extensive 135 modifications, disturbance and accident analyses for the installation as well as system reliability analyses are repeated to the extent deemed necessary if the conducting of such analyses for the system in question was required previously. Changes eventually proposed to the technical specifications and test run programme of the modified system are submitted for approval together with pre-inspection documentation, or, well in advance of the test run. The proposal containing the changes required in a system’s operating procedures are submitted to STUK prior to the commissioning of the system. Changes of the final safety analysis report are submitted to STUK after the implementation of the modification. As regards work arrangements during a system modification, reports on radiation protection, fire protection and physical protection are provided where necessary. 3.2.3. Assessment of operational experience — French experience [22] The main objectives of the assessment of operational experience can be summarised as follows: x To avoid re-occurrence of observed failures from equipment or human origin. x To detect precursors of more severe accidents. x To assess whether the plant behaviour and equipment reliability are consistent with the design assumptions. This provides additionally actual equipment reliability data needed for PSA. x To assess that the modifications give the desired results without any detrimental secondary effects. x To detect as soon as possible ageing phenomena. x To check the overall quality of operation practices. For each unit all the information provided must be used locally. Information from other units of the same type or even very different, from the same country or from abroad is also beneficial. The assessment of operational experience must be carefully structured within the operating organization and within the regulatory body. The presentation of the French practice illustrates a way to handle this important topic. Detection and declaration of abnormal events are the responsibility of the operating organization. Inspections may check that no declaration is missing. The French context is specific: one organization operating a large number of identical or similar reactors, of which it is the architect-engineer. At the beginning of 1998, thirty-four 900 MW(e) PWR’s and twenty 1300 MW(e) PWR’s were in service. Two 1400 MW(e) units went critical and started operating, two others are at the end of the construction phase. Starting from initial criticality in each plant, this gives an accumulated 900 MW(e) unit experience of about 550 reactor-years and 1300 MW(e) unit experience of about 200 reactor-years, thus totalling around 750 reactor-years of experience concerning reactors which are still relatively 136 “young”. The result is that there is a considerable mass of consistent data, which is a huge advantage for plant operation. On the other hand, it is obvious that with such a system very fast identification of problems liable to occur in a whole family of plants is vital, since otherwise a very specific type of “common mode” failure could lead to national grid power supply deficiencies, which would be difficult to cope with in a country where three-quarters of the electricity comes from nuclear power plants. Likewise, any changes or modifications involving a significant percentage of the installed capacity can only be undertaken in compliance with stringent requirements and with all due precautions. 3.2.3.1. Incident selection In order to facilitate the task of both operators and the safety authorities, it was decided to define two groups of safety-related events, of different levels of severity and to which different methods of analysis were applied, whereas all other non-safety-related incidents gave rise to no particular transfer of information. Safety-related events Presuming that the technical operating specifications comprise all instructions pertaining to the availability of plant safety-related equipment and to the limiting values assigned to the various operating parameters, any failure of such equipment resulting in it being reported unavailable or any overstepping of a threshold is considered to be a safetyrelated event. This definition is fairly straightforward for the operators, since they have to monitor both this equipment and these parameters, in any case. The necessity for reporting these events is well understood by the operating personnel, who are accustomed to using these Specifications, but less well by the maintenance staff. EDF is taking steps to gradually improve this situation. As these safety-related events are not in themselves serious incidents, they need not be the subject of specific reports from the operator, but must, on the other hand, be immediately entered into a national data base, managed by EDF and accessible to the DSIN and the IPSN. The number of safety-related events entered into the EDF file increased rapidly between 1990 (2600) and last year (9500 in 1997), faster than the number of operating units, thanks to the development of the safety culture. The average number of reports per unit is about 175 for the 900 MW(e) plants and 200 for the 1300 MW(e) plants. Certain plants have increased the number of events reported in compliance with recommendations following an EDF in-house nuclear inspection. Significant incidents Generally speaking, safety-related events do not in themselves call for detailed analysis nor are they severe accident precursors. The latter are more likely to be found in another category of operating non-conformance, classified as significant incidents. These are generally safety-related events which also satisfy certain specific criteria defined by the DSIN after discussion with the operators. These criteria were precisely defined with a view to obtain their automatic application without excessively different interpretation from one plat to another. they were formalised in 1982 but, there again, owing to the difficulties encountered and 137 discussed with the safety organizations, EDF periodically revises the corresponding internal procedures to improve uniformity of application between the different plants. The significant incidents reporting criteria may be summarised as follows: x Emergency shutdown, except in the context of a deliberate scheduled action or defects affecting the turbogenerator; x Implementation of an engineered safeguard system, except in the context of a deliberate scheduled action; x Any incident where, in any standard operating state, a change of state would be incurred by application of the technical specifications; x Long-term unavailability or multiple inoperability; x Overshooting certain thresholds or authorized values; x Actual or potential common mode failure (fire, onsite flooding, system interaction, design or construction error liable to concern several sets of equipment or several plant units, etc.); x External hazard: earthquake or plane crash, for example; x Real or assumed malevolent act; x Uncontrolled radioactive release or that exceeding the authorized levels; x Exposure of people beyond the specific worker exposure limits; x Incident of nuclear origin having caused loss of life or serious injuries; x Malfunction or incident placing or able to place the plant outside its design basis operating range; x Any other event deemed sufficiently important by the operating or safety authority. A significant incident must be reported to the safety organizations by telex on the day it occurs or on the next working day and be reported within two months in a detailed analysis conforming to a given standard procedure. The first analysis is made by the plant concerned and is supplemented, if required, by a second analysis performed by other specialized EDF departments. Direct exchanges between safety authority analysts and the operators can be set up as soon as the telexed report is received. This is particularly the case when it is feared that at least several plants could be concerned by the faults identified or when a severe accident precursor is suspected. The mean number of significant incidents is more or less constant over several years — about seven to eight per year, per unit — there are significant variations from one site to another. Almost half of these incidents now occur during unit outages. This confirms the 138 specific difficulties of these periods and probably also witnesses the penetration of safety culture: perhaps certain incidents with no consequences for plant unit operation would previously not have been reported. In any cases, detection and declaration of safety significant events and significant incidents are the responsibility of the operating organization. Inspections may check that no declarations are missing. 3.2.3.2. Significant incident analysis methods The methods described below were gradually elaborated by collective team work. From the outset, the IPSN has been an instigator, devising approaches to be adopted and developed by the operating utility. Collective examination of events and incidents At the IPSN, supervision of a set of plant units (ideally two units) is particularly entrusted to a specific assignment engineer. In order to derive maximum benefit from PWR standardization, each specific assignment engineer is informed of all significant PWR incidents by circulation of the relevant telexes and reports. All the incidents are reviewed during weekly meetings, when the most important occurrences are short-listed. During these meetings, the specific assignment engineers indicate the most significant recent “safety-related events” and exchange available information on incidents abroad. In this way, each analyst is informed of occurrences affecting the French PWR population and of significant incidents reported abroad. In the EDF head office departments, the working method is much the same. Selection of significant incidents for in-depth analysis The significant incidents for in-depth analysis are selected during these meetings. The selection criteria are not formalised but may be outlined as follows: x Incidents which have an affinity with the corresponding design basis incidents, with an estimated frequency of below 10-2 per year and per unit, or which are capable of leading to such incidents, possibly under different operating conditions; x Incidents not foreseen at the design stage; x Accumulated safety-related system failures and accumulated errors, whether due to random faults, common mode failures or system interaction; x Incidents giving rise to errors resulting from failure to understand plant behaviour or safety requirements. x Significant effect on core-melt frequency indicated by PSA. There is consequently a systematic, although often implicit, reference to the design rules and criteria, enabling appraisal both of the gravity of the incident and the validity of the design rules. The 400 to 450 significant incidents on French PWR’s reported every year give rise to ten to twenty in-depth analyses, each of which may cover several incidents. 139 Example of classification An example of classification relating to different types of events occurring on the same function will illustrate the differences between the levels. When one emergency core cooling train (out of two) is unavailable the technical specifications require to have reached cold shutdown before a time limit of 3 days if repair work and requalification cannot be done properly in shorter time. x The unavailability of one train discovered by a periodic test, having a non generic cause, and for which repair and requalification can be done in less than 3 days is a safety related event. x The unavailability of one train discovered by a periodic test, but possibly generic, and/or asking for repair and requalification more than 3 days is a safety significant incident. x Both low-head ECCS pumps tripping on an ECCS signal (as occurred at Blayais 1 in 1991) represents a precursor event. In depth analysis The starting point for analysis will be a thorough acquaintance with how the incident took place, which safety functions were implicated, how operators and equipment behaved, what the consequences were, together with knowledge of any similar incidents which may have occurred. Despite the quality of the operator incident reports, the information supplied usually has to be supplemented by direct contacts with the plant or the relevant EDF head office departments and, in many cases, by inspection of the buildings and equipment concerned. The first action consists in determining whether, in other circumstances, the same accident would have had far more severe consequences. This is known as exploring the degeneration paths and can be summed up by the question “what if ? ...”. The second action consists in seeking the root causes of the incident by tracing back as far as possible along the branches of the incident cause tree, not only as regards equipment, but also procedures and human behaviour, differentiating between what is specific to the plant considered and what could occur at any units of the same type. The third action consists in applying to other equipment, systems or situations the root causes identified to make sure that they could not initiate entirely different sequences of consequences, which could be potentially serious. The analysis then proceeds with the identification of incidents of the same type or of possible precursor events. It is, of course, obvious that the in-depth analysis of a significant incident must not be isolated from the overall context of other incidents in France or elsewhere and that parallels should be freely drawn. So this concerns both events having the same material, human or organizational origins and incidents arising from similar scenarios. This grouping of incidents is an essential element in the valid appraisal of data provided by a significant incident. The first corrective steps proposed by the operating utility are often simple compensatory measures, such as instructions aimed at precluding scenarios with more severe 140 consequences further to an initiator of the same type as that observed. Such “administrative” steps can generally be taken without loss of time and at low cost. Analysts and operators readily agree on this type of measure. However, it is not so easy to arrive at agreement in cases where modifications to the plant are deemed necessary, especially if these have to be extended to other equipment or several plant units. IPSN in-depth analysis reports on significant incidents systematically conclude with recommendations that may be reformulated by the DSIN as requests to the operating utility or special requirements. Before transmission to the DSIN, draft recommendations are, of course, discussed with the operating authorities both as regards the measures required and the time allowed for their implementation. These technical contacts provide good opportunities for deep thinking. They in no way infringe IPSN autonomy, since points of agreement and disagreement are clearly explained with arguments for or against. It should also be borne in mind that the IPSN is required to express its decision as to the acceptability of proposals made by the operating utility. It is not within the scope of its function to prescribe technical solutions. These have to be determined by those responsible for the installation. Guidelines for significant incident analysis This analysis method was gradually structured by the EDF head office departments to assist the different plants in conducting as exhaustive an analysis as required. The main steps are as follows: x Cause analysis: Data collection. Logical sequence of events. Identification of failures and inappropriate actions. Identification and explanation of discrepancies with respect to the quality assurance system. x Assessment of effective consequences: For reactivity control. For core cooling control. For containment control. x Identification of operating scenarios disturbed by failures and mistakes: Characteristics of the disturbed scenarios. Identification of the disturbed scenarios. x Assessment of potential consequences: Elaboration of an event tree for each disturbed scenario identified considering the initial state, subsequent undermined states, the defence in-depth lines of defence provided and the quality assurance system. Identification of fault conditions elsewhere in the plant, in other units in the plant considered or on other French sites. x Corrective actions: Required to restart the installation or maintain power operation. Required to preclude fault conditions and inappropriate actions. 141 This method is more and more consistently applied by the plants, resulting in the gradual improvement of significant incident reporting. It is obviously also applied for all indepth analyses deemed necessary by the EDF head office departments. 3.2.3.3. Safety case study: the Three Mile Island accident [22] The Three Mile Island nuclear power plant is located on the Susquehanna River in Pennsylvania, USA, 16 km from the state capital, Harrisburg, a city of 90 000. It has two 900 MW(e) units with pressurised water reactors designed by Babcock and Wilcox. The second unit of the site started commercial operation on December 30, 1978. The Babcock and Wilcox 900 PWR design uses 2 steam generators of the oncethrough type. These steam generators are long, about 28 meters, which induces a specific layout : the bottom of the steam generators is lower then the core inlets (Fig. 15). Then the transition to natural convection cooling on the primary side can be difficult in some conditions. Furthermore, they only contain a small amount of secondary cooling water, making the installation rather sensitive during certain kinds of transient. In the case of a loss of normal SG feedwater there is an increase in temperature, hence in pressure, in the primary cooling system, systematically leading to opening of the pressurizer relief valve, during a few seconds. Containment Spraying Relief Valve Block Valve Safety Valves Steam Generator Pressurizer Level Indicator Core Vessel Primary Pump Pressurizer Relief Tank FIG. 15. Main layout of Three Mile Island NSSS. 142 Simplified scenario The accident starts at 4:00 a.m. on Wednesday March 28, 1979 with the loss of normal water supply to the steam generators. The primary transient causes emergency shutdown, which gradually lowers pressure in the primary cooling system. After 12 seconds the relief valve receives as normal the command to close but this valve remains jammed open. The primary cooling system continues to discharge into the pressurizer relief tank, located in the containment, at a flow-rate of 60 metric tons per hour (there are approximately 200 metric tons of primary coolant). The steam generator auxiliary feedwater system pumps start up normally after 30 seconds, but the connecting valves between the pumps and the steam generators are closed instead of open, due to a maintenance error. The generators dry out in 2 to 3 minutes, stopping all cooling of the primary system. Although the position indicator for these valves located in the control room signal this fault, eight minutes pass before the operators identify the fault and give the command manually to open the valves. Twenty-five minutes pass before the situation of the secondary cooling system stabilises, after numerous operations, no doubt commanding all the attention of the operating team. During this time, discharge through the pressurizer relief valve continues. After two minutes, pressure in the primary cooling system has decreased to approximately 110 bar. The emergency core cooling system starts up automatically and sends cold water into the primary system. The operators check the indicator of the relief valve and see “valve closed”, which in fact is not true. The indicator transmits the command received by the valve, and not its actual position, to the control room. Finally, the operator concentrates on the water level in the pressurizer. The water level in the pressurizer, after lowering at first when the valve was opened, then started to rise rapidly, between the first and approximately the sixth minute. This rise is perfectly normal when there is an opening in the upper part of the pressurizer, but the operators in this plant ignored this fact and had not been trained for this type of situation. In any case, faced with this rapid rise in the pressurizer water level, the operators, believing the relief valve to be closed, are afraid to inject too much water into the system, and therefore stop emergency core cooling manually after less than five minutes. The operators’ mental image of the situation was false, but the actions they decided to perform were obviously based on this image. As of this moment, the water draining from the primary system is not replaced. There is a break in the primary coolant system and the emergency core cooling system is shut down completely. The primary system continues to drain. After 6 minutes, boiling starts. The primary coolant circulating pumps continue to work, circulating a mixture of water and steam comprising more and more steam; however, they manage a certain amount of cooling thanks to the steam generators supplied by the secondary system. The rest of the energy is removed through the primary system break. After fifteen minutes, the pressurizer relief tank rupture disk gives way. The escaping primary coolant now goes directly into the containment. The pressurizer is filled with a mixture of water and steam. Its level indication is meaningless. The proportion of steam in the primary coolant increases. The primary pumps have more and more trouble, and start to cavitate and vibrate. These vibrations become excessive. The operators stop one pump after 1 hour 13 minutes, and the other 27 minutes later, hoping that natural circulation will set up in the primary system. In fact, water and steam separate, with steam accumulating in the top and water in the bottom. There is no longer any circulation of primary 143 fluid and therefore no heat exchange takes place between the reactor core giving off residual heat of a few tens of MW and the steam generators. The heat from the core continues to bring the cooling water to the boil. No more water is being supplied, and the level in the core drops: the core is uncovered. Cooling of the fuel becomes less effective; cladding temperature rapidly increases to 850°C, then past 1300°C. At these temperatures, zirconium reacts chemically with steam to form zirconium oxide and hydrogen. This reaction produces heat, increasing temperatures yet more. Fuel cladding melting point is reached, and there is significant release of fuel fission products to the primary coolant and from there to the containment. After 2 hours 14 minutes, a radioactivity alarm goes off in the containment. The operators are forced to realise the gravity of the situation. Realising that they may well have transferred radioactivity through the relief valve, which had a high leak rate before the accident, they close the line-isolating valve and thereby stop discharge. This also stops all heat removal. The core continues to heat, and primary system pressure increases. The operators start up one of the primary pumps, which sends water cooled in the steam generator onto the extremely hot fuel, which disperses those parts of the fuel above the water level within the reactor vessel. After 3 hours 12 minutes, vaporisation of water on the fuel has caused primary system pressure to rise to a dangerous point. The operators re-open the relief line-isolating valve, drainage starts up again, letting out coolant which is even more radioactive. More radioactivity alarms go off, some of which are outside the reactor building. The water that is spilling into the containment is taken up by automatic sump pumps, which send the contaminated water to storage tanks located in an auxiliary building that is not hermetic. These tanks then overflow and create a source of radioactive steam that can escape outside the plant. A state of emergency is finally declared. The containment is isolated, stopping transfer from the sump to the auxiliary building. It is now three hours and twenty minutes since the accident began. The operators start the emergency core cooling system again at a low flowrate, causing a new shock between the cold water and the hot fuel, then at nominal flow-rate. The core cools, four hours after the first event. It will take another twelve hours to discharge from the primary cooling system most of the hydrogen and fission gases that prevent it from being filled. This is done by alternately opening and closing the pressurizer relief line and starting up safety injection and primary pumps. A localised explosion of about 320 kg of hydrogen in the containment, after 9 hours 50 minutes, induces a 2 bar pressure spike in the reactor building, without causing any particular damage. At 8:00 p.m. on Wednesday, March 28, 1979, the accident itself is over. However, it will take several days more to calm fears of a possible hydrogen explosion in the reactor vessel. The damage to the fuel elements far exceeds that provided for in the worst possible design basis accident. Six years later, in 1985, when it was possible to pass a television camera between the lower internal core structures and the vessel, it was found that 45% of the fuel had melted, along with elements of the cladding and the structures totalling 62 metric tons and forming what is called corium. About 20 metric tons of this corium, formed from the upper part of the fuel, had forced its way through an outer ring fuel assembly and the reactor core external baffles to reach the vessel bottom head itself, but fortunately did not melt through it (see Fig. 16). 144 Upper grid Damage Cavity Core debris Baffle plate Crust Molten materials Molten materials Incore instrumentation guides FIG. 16. Core final status. In spite of this catastrophic fuel situation and the significant transfer of radioactivity to the containment, the immediate radiological consequences in the surrounding area were minimal. Indeed, the containment fulfilled its role almost perfectly. Only the sump transfer pumps were responsible for radioactive release for a limited period. This release, estimated at 13 million curies of xenon and about 10 curies of iodine (i.e. 5.105 and 0.4 TBq), had only very limited consequences. It is estimated that an individual downwind at the edge of the site throughout the accident would have received a dose of less than 1 mSv (100 mrem), equivalent to the annual dose of natural radiation. The operating personnel received a slightly higher, but still quite limited dose during the accident, and had to wear masks for a few hours Three technicians received doses between 30 and 40 mSv (3–4 rems) during primary coolant sample-taking operations. The collective dose received by the plant workers from the onset of the accident to the end of fuel removal in 1989 is estimated at 60 man-Sv. 145 Accident analysis: direct causes and root causes The first event of this scenario is the failure of the normal steam generators feedwater system due to an human error during a minor maintenance activity. This demonstrates the absolute need to reduce the occurrence of any type of abnormal event but the direct causes of the core meltdown are to be searched a step forward and then two direct causes appear: x The pressurizer relief valve stuck open; x The emergency core cooling system was stopped by the operators. Instead of focusing on these direct causes, the prevention of the reoccurrence of equivalent events needs to identify and treat the actual root causes. A list of the major findings is presented. Design deficiencies x The loss of normal feedwater which is an anticipated operating occurrence leads to the opening of the pressurizer relief valve which is an other anticipated operating occurrence; x A break in the steam phase of the pressurizer is not considered. There is no procedure to identify and manage this event and the operating staff is not trained for it; x The actuation of the emergency core cooling system does not actuate a complete containment building isolation. Man-machine interfaces x Global control board weakness with, in particular indications of order instead of position without specific warning, no alarm only at nominal power leading to a lot of alarms in any shutdown condition and without any possibility to identify the initiating difficulties, insufficient pressure and temperature indicators range; x Existing emergency operating procedures difficult to use. Multiple latent deficiencies (organization, maintenance, quality, ... ) x The pressurizer relief valve had been known to be leaking for a while but the repair work was postponed so increasing the probability of a jammed open valve and depriving the operators of a way to identify the valve situation: the temperature of the pressurizer relief line; x The closed connecting valves of the steam generators auxiliary feedwater system added a complete loss of feed water system to the complete loss of emergency core cooling system and focused the attention of the operating team; x An effluent tank was leaking; x The iodine filters in the auxiliary building had poor efficiency. 146 Global and collective excessive confidence (complacency) This general attitude towards nuclear activities is not specific to this type of design or to this operating organization but can be considered as widely spread world-wide at that period. This can be seen by different signs: x An accident more severe than a LOCA is not considered. No on-site accident management is needed as well as any off-site emergency preparedness. x Even design basis accidents are just considered as conventional. Then the emergency operating procedures are difficult to use and relate only to the short term (mainly automatic actions). x Limited use of operating experience (precursor event at Davis Besse). Incidents without actual consequences are considered as trivial and the practice of information exchange on operation difficulties is not established. Lessons learned The first three lessons were the following, leading to a very large evolution of the safety approach and significant improvement of the safety of a majority of plants. Beyond design core conditions can occur resulting from multiple equipment or human deficiencies. A resistant and leak tight containment resulting from the implementation of the defence in depth concept (3 levels) can be efficient to mitigate the radiological consequences even in the case of most beyond design accidents. Man is an essential element of safety. Corrective actions x Initiation of large cooperation programmes of research and development to improve the knowledge available in core melt conditions and related conditions. x Development of severe accident management related to severe cooling conditions including containment isolation and surveillance, hydrogen explosion, containment venting, basemat melt through. x Large adaptation of the control-room tools in general ergonomic (position sensors, enlarged indicators scales, primary coolant boiling monitor, ...), Alarm ranking, safety parameter display system. x Improvement of containment isolation. x Consideration of the complete loss of redundant systems in safety analysis. x Development of provisions for management of large quantities of radioactive effluents. 147 x Development of operating experience feedback structure within the operating company, at national level and with the regulatory bodies; Exchange of information at international level. x Development and implementation of quality assurance programmes at NPPs. x Improvement of operators training. 3.2.4. Periodic safety review, reassessment for renewing the operating licence — French experience [22] The Periodic Safety Review is a relatively new step in the licensing process. The first publication of an IAEA safety guide on this topic occurred in 1994 with the Safety Guide 50SG-O12, Periodic Safety Review of Operational Nuclear Power Plants [24] and the good practices in member countries are still in evolution. This safety guide suggests a list of 11 factors: actual physical condition of the nuclear power plant, safety analysis, equipment qualification, management of ageing, safety performance, use of experience from other nuclear power plants and research findings, procedures, organization and administration, human factors, emergency planning and environmental impact. Three main steps are suggested for the review procedure. x Step 1: Assessment of current nuclear power plant safety that needs to obtain information on all safety factors and to assess them by current methods and against current safety standards and practices. This leads to a list of nuclear power plant strengths and shortcomings for each safety factor. x Step 2: Interim safety review based on existing information and expert judgement to evaluate all shortcomings, fix their priority and assess the adequacy of remedial actions and interim measures. x Step 3: In-depth safety review based on analysis of available information, PSA insights and expert judgement: evaluate all shortcomings, associated remedial actions and interim measures and nuclear power plant strengths. This methodology allows one to identify the resolved and the unresolved shortcomings, to assess risks associated with all unresolved shortcomings and to reach a conclusion about the final acceptable or unacceptable safety level of the plant. Safety deficiencies detected by this process, are classified according to safety-related relevance. The criterion in this respect is the extent of damage to the plant or its surroundings associated with its estimated frequency. Following this, there are three assessment categories, used in some countries, for the order of priority of corrective measures. Category I: The extent of damage within and outside the plant and its estimated frequency deduced from the deterministic and probabilistic analyses cannot be tolerated. The required precautionary measures are no longer adequate. Immediate measures have to be taken. 148 Category II: The actual condition of the plant and its operating mode can limit the risk only to a limited extent. The safety deficiencies identified endanger the fulfilment of criteria for meeting the safety objectives. The probabilistic analysis indicates event sequences with relatively high damage frequency or increasing extent of damage representing an imbalance of the safety-related design or operating mode of the plant. Medium-term measures are required, interim solutions may be necessary until their implementation. Category III: The actual condition of the plant and its operating mode guarantee the necessary precautions. The measures available fulfil the criteria for meeting the safety objectives. The results of the probabilistic safety analysis confirm the balanced safety level of the plant The non-conformance identified on the basis of the operating experience evaluation and the comparison with the current level of the engineered safety features, however, indicate possibilities for improving safety. Measures to improve the safety level have to be implemented, if need be, considering the appropriateness of expenditure compared to the increase in safety. 3.2.4.1. French periodic safety review practice Since 1978, France had undertaken the safety review of all nuclear power plants which had been operated for more than 10 years but without the systematic character that is now understood under this wording. All of them but one (Phenix) have been shutdown for economic reasons Application of this practice to the first six 900 MW(e) PWR units at the Fessenheim and Bugey plants was on a totally different scale. These plants went critical between 1977 and 1979 and are similar to the other 900 MW(e) units, the last of which were commissioned in 1987. They still have a long life span before them. The Fessenheim and Bugey plant safety review represents a vast amount of work undertaken over a period of 5 years, which does not include the actual implementation of decisions made towards the end of the period. It began in 1987 with a discussion of the aims and limits of the practice, providing useful guidelines for subsequent reviews. Aims of safety reviews In the French practice, plant safety assessment is a continuous process. The changes in safety approach related to the consideration of complementary operating conditions and the integration of severe accident procedures and resources have led to modification of all plants. Operating feedback from France and abroad and analysis of incidents reported have also resulted in the continuous adaptation of French plants. A plant safety review is consequently complementary to the continuous safety enhancement process. It provides an opportunity to identify aspects not dealt with in the latter context. The idea of a plant safety review after about 10 years of service life has much in common with that underlying the regulatory 10-yearly complete overhaul of the main primary system, required by the regulations specific to these components. The main aims are as follows: 149 x Obtain a complete operating record covering a significant period, integrating in-service inspection results and accounting for the various transients undergone by the main primary system, enabling notably comparisons with the design basis data; x Compare the current safety level with the anticipated design basis level. this would be a qualitative appraisal; x Make sure that the operating feedback process is systematically applied; x Ensure that general know-how advances have been put to good use and that the continuous analysis and follow-up of plant safety has been effectively carried out; x Identify ageing factors which could justify surveillance programme modifications or even curtail plant lifetime; x Identify significant design differences adopted for more recent units with respect to a reference model; x Estimate the safety feasibility and interest of any modifications to plants or operating procedures, derived from the above comparison. An additional objective of EDF was to stabilise the plant safety reference as at the end of each review in order to prevent a continuous process, involving numerous modifications, from having a negative safety impact. The safety review of an old plant does not mean requiring it to comply systematically with the most recent safety practices, but implies determining under what conditions it could continue to operate. The safety characteristics of the most recent 900 MW(e) units, modified as provided for at the beginning of the review were selected as the reference basis for review of the earliest 900 MW(e) units. Elements likely to have changed The plants under review had all been subjected to the regulatory authorization procedures in force at the relevant periods and had consequently undergone a safety assessment. The purpose of the review is to identify factors liable to modify the conclusions of these assessments. This leads us to the five areas discussed below. Regulations and regulatory practice: In most cases, changes to regulations or in regulatory practice explicitly exclude systematic retroaction, but there is nothing to prevent assessment of the discrepancies with respect to the new texts in force. Safety objectives and options:. Many changes have been seen in specific safety objectives and options as the successive standardized plant series were defined. In particular, the list of external hazards and the ways of dealing with them differ from those defined for the first 900 MW(e) PWR units. Also worth noting are the inclusion of complementary operating conditions, the introduction of a state-oriented approach or the preparation for severe accident management. 150 Operating feedback and enhancement of know-how: It would, of course, be superfluous to dwell on the merits of operating feedback, but it is worth noting that safety study advances do not necessarily lead to larger safety margins but often simply clarify their demonstration. As tools are perfected, these margins may even, in some cases, be reduced. A characteristic example would be the changes that have taken place in reinforced concrete structure design methods, where substituting the elasto-plastic for the elastic structural design field enables reduction of the real margins, which were also better understood. As regards ageing, the main difficulty is to ensure that phenomena are accurately identified and monitored. Feedback on simulator training for operators also provides much useful information, since the difficulties evidenced during accident situation simulation have, fortunately, not been experienced on the sites themselves. Plant modifications: Many safety policy changes have, of course, led to plant modifications. In harmony with the underlying homogeneous plant population approach, this modification programme resulted in definition of an “end of series condition” for the CP1 and CP2 series of 900 MW(e) units, aimed at limiting but not precluding subsequent modifications. For the Fessenheim and Bugey plants, the modification programme was aimed at upgrading, adapted to the specific characteristics of these plants. These programmes have already resulted in considerable changes to the plants, but without obliterating the main design differences between the first 900 MW(e) plants (Fessenheim and Bugey) and the 28 units that followed (CP1 and CP2 standardized series). Plant environments: We have discussed the revised approach to dealing with external hazards and the accompanying new investigations. Apart from these changes in practice, it is also important to appraise changes in the environment itself and in our knowledge of them. This may concern a wide range of topics, from air traffic density, to transport of explosive substances and seismic hazards. 3.2.4.2. Fessenheim and Bugey plant safety reviews It was theoretically possible to undertake an entirely new safety analysis for these units, as if for a new standard series. But the results would doubtless not have justified the means deployed. On the other hand, it was essential that no important topic be overlooked. An overall approach had consequently to be adopted. So the review started with a fairly wide range of topics, followed by gradual pruning where justified and using the CP1, CP2 standardized 900 MW(e) unit “end of series condition” as the reference model. Twelve main topics were initially selected: x x x x x x x x x x x x General principles. Accident analyses. External hazards. Internal hazards. Engineered safety systems. Main primary system. Secondary system. Auxiliary systems. Containment. Instrumentation and control. Reactor vessel internals. General operating rules. 151 On the other hand, it was not deemed appropriate to change the accepted analysis procedure for “generic” problems affecting all plants. This is the case, for example, for the technical operating specifications, where the periodic revisions concerning Fessenheim and Bugey are adapted to those of the other 900 MW(e) units and regularly analyzed prior to approval by the DSIN, and for the internal emergency plans or the ageing monitoring procedures dealt with in the context of the life span project. Methods and means Initially, no summary report was issued on the 900 MW(e) plant probabilistic safety assessment, which in fact only partially applied to Fessenheim and Bugey. Probabilistic assessment methods were consequently little used for the safety reviewing of these plants. The 10-yearly outage, on the other hand, used to obtain a health check on the main pressure vessels and the reactor containment, also provided an opportunity to rerun and supplement certain overall functional tests Some safety problems of which the authorities had been aware since initial start-up of the plants were only dealt with in the context of the Fessenheim and Bugey safety reviews rather than in that of operating feedback. The most characteristic example is the direct Rhone or Rhine water supply to the containment spray system exchangers, with no intermediate system. No incident occurred to call attention to this point and the primary fluid’s cooling function following a primary system break had never been invoked. This configuration nevertheless implies a possibility of direct transfer of radioactive substances to rivers in the event of loss of heat exchanger integrity in certain accident situations. This also applies to reassessment of seismic hazards and ways of dealing with them in plants built more than 15 years ago. Scope of the review and examples of corrective measures It is obvious that fundamental structural transformations, significantly modifying the civil works or restructuring major systems are out of the question. Problems revealed by safety reviews tend to be solved by local or generalised palliative measures. It should be borne in mind that this approach had already been adopted for loss of redundant system situations. For example, the complementary procedure resources enabling mutual backup between safety injection and containment spray pumps or water injection in the core by external devices had been permanently installed at the units concerned prior to the review under discussion. This is not so for the CP1 and CP2 standardized 900 MW(e) units, where mobile devices are used. This emergency core cooling scheme could offset various types of engineered safety system inadequacy. In what follows, we discuss the main implemented or planned transformations. They derive from the EDF analysis, possibly supplemented by IPSN requests, which may have been either directly accepted by the operating utility or transmitted via the DSIN after discussion during the many meetings held by the Standing Group for reactors on the subject of the Fessenheim and Bugey safety review. 152 Reassessment of seismic hazards: The maximum historically probable earthquakes (MHPE) for the Fessenheim and Bugey sites were reassessed in the light of the new seismotectonic map of France and earthquakes previously disregarded because of inadequate available data (notably the 1356 earthquake at Basel in Switzerland), in compliance with the procedure proposed in basic safety rule I.2.c. For the Bugey site and deep earthquakes affecting the Fessenheim site, the bounding case resonator response spectra for characteristic MHPE’s fall within the corresponding spectrum range for safe shutdown earthquakes (SSE) adopted for plant design. With regard to earth tremors near to Fessenheim, the possibility of the design basis spectrum being exceeded for frequencies higher than 5 Hz was investigated in 1976 for the electrical building and resulted in local reinforcements. The MHPE spectrum corresponding to earthquakes near this site is amply bounded by the spectrum, abundant in high frequencies, used for these investigations. On the other hand, considering an earthquake as a credible event and not a load combination implies examining the possibilities of safety classified equipment (designed to withstand the relevant design basis earthquakes) being damaged by non-classified equipment. This led to a number of further measures. Examples are the instructions given to operators to interlock handling equipment in parked position when not in use. Checks on the seismic resistance of certain non-classified equipment supporting elements also led to reinforcements. Protection against off-site flooding hazards: The Fessenheim site is located below the Alsace canal where the water level is 9.5 m higher than the site ground level. This is therefore an exceptional case, resulting from incomplete investigation of site related hazards when the plant was designed. Failure of the nearest dike upstream from the site is not included in the design basis data. Its mechanical strength is consequently crucial and must be checked, taking into consideration the reassessment of seismic hazards, the ageing of the dike structures and any modifications they have undergone. Its seismic resistance has been checked during previous safety inspections. Fire protection: Further to generic fire hazard studies, an extensive programme was implemented aimed at improving protection in this respect at the Fessenheim and Bugey plants. It comprised: x Redefinition of the fire areas to improve the separation of redundant train equipment; x Identification and handling of cabling common point problems, after compiling a cable file, indicating cable routing through the installation; x Renovation of passive and active protection devices, such as doors, wall and floor openings, fire stop panelling and seals, together with the water spraying equipment. Protection against onsite flooding hazards: Whatever the origin of onsite flooding, provisions as to surveillance, drainage systems, retention pits, raised mounting bases should be such that the reactor can be shut down and held in a safe configuration and that any radiological consequences can be limited. Examination of the Fessenheim and Bugey plants led to corrective actions, such as the reworking or repair of flange seal faces and cladding and the 153 clearing of floor drains. Certain sills were raised and additional alarms were installed for sump water detection. System modifications Containment spray system heat exchangers: In the design adopted for the plants built in France, the containment spray system heat exchangers remove residual heat in the event of a major primary break. At the Fessenheim and Bugey plants, these heat exchangers are directly cooled by Rhine or Rhone water. They thus form the only barrier between the river water and water which, after a loss of coolant accident, would be carrying substantial quantities of radioactive products from the containment spray system. In all later plants, the containment spray system is cooled by the component cooling system, itself cooled by off-site raw water. The Fessenheim and Bugey plants are also equipped with a similar system, but isolation with respect to the river water is only assured for systems used under normal operating conditions. The installation of such a system could have been recommended for the containment spray system heat exchangers, but owing to the technical difficulties involved, EDF preferred a solution that was less satisfactory as regards principle, but nevertheless deemed acceptable. It consisted in using heat exchangers where raw water circulates in 1 mm thick titanium tubes. These exchangers are so designed that, in an accident situation, leakage risks would be diminished by the slight lengthwise compression of the tubes. They can be entirely eddy current inspected and are easy to clean on the raw waterside. In addition, raw water activity monitoring downstream from each exchanger has been improved, so that leaks would be detected and the contaminated train isolated. After a fairly short period, a single heat exchanger is sufficient to remove reactor core residual heat which rapidly decays. The advisability of automatic isolation of the polluted train was discussed, but the risk induced by inadvertent isolation of a safeguard system was deemed to exceed the benefit to be gained by automation. Automatic switch over to recirculation: In the event of a major primary break, core cooling is first assured by injection of water from the reactor cavity and spent fuel pit cooling and treatment tank. When the low point in this tank is reached, the safety injection and containment spray pumps it is supplying must take suction in the containment sumps which collect water leaking from the primary system or resulting from containment spraying. At Fessenheim and Bugey, this pump suction switch over was actuated by the operating team. However, owing to the possibility of human error in this context, it was decided to automate this action, bringing it into line with the other PWR plants. Application of the single failure criterion: When the Fessenheim and Bugey plants were designed, the principle of redundancy of safety-related systems was not so stringently applied as for subsequent plants. When the Fessenheim and Bugey plant structural features were examined in relation to application of the single failure criterion as defined in Basic Safety Rule I.3.a, released in 1980, the following modifications were made: the containment atmosphere monitoring system fans were duplicated, as also was the low head safety injection system suction line. On the other hand, it was considered acceptable to have only one valve regulating suction for the residual heat removal system because it is possible to offset refusal of this valve to open by maintaining cooling via the steam generators. 154 As is clear from the previous examples, appraisal of the degree of risk influences decisions, which are not solely based on strict application of regulatory or para-regulatory texts. Preparation for severe accident management It was already mentioned that the Fessenheim and Bugey plants are permanently equipped to implement the complementary ultimate provisions for core cooling in highly disturbed situations. Another specific feature of the two Fessenheim units is the shallower base mat. A survey is proceeding to investigate the possibility of installing refractory materials in the reactor pits of these units to delay base mat penetration in the event of a core melt accident. Expected final result The various changes implemented further to the Fessenheim and Bugey plant safety reviews should bring their safety level closer to that of the other 900 MW(e) units. This should facilitate subsequent inspections and simplify the introduction of any further changes that could be adopted during safety reviews on other 900 MW(e) plants. 4. INSPECTION AND ENFORCEMENT BY THE REGULATORY BODY 4.1. IAEA GUIDANCE ON INSPECTION AND ENFORCEMENT5 Regulatory inspection and enforcement activities cover all areas of regulatory responsibility. Inspections allow the regulatory body to satisfy itself that the operator is in compliance with the conditions set out, for example, in the authorization or regulations. In addition, the regulatory body shall take into account, as necessary, the activities of suppliers of services and products to the operator. Enforcement actions are applied as necessary by the regulatory body in the event of deviations or non-compliance with conditions and requirements. The principal objectives of regulatory inspection and enforcement are to provide a high level of assurance that all activities performed by the operator during all the stages of the authorization process and during all stages of the lifetime of a nuclear facility (siting, design, construction, commissioning, operation and decommissioning or closure) are executed safely and meet the safety objectives and licence conditions. Inspection is performed to check independently the operator and the state of the facility, and to provide a high level of confidence that operators are complying with the safety objectives prescribed or approved by the regulatory body. This should be achieved by confirming that: x All relevant laws, regulations and licence conditions, and all relevant codes, guides, specifications and practices are complied with; 5 INTERNATIONAL ATOMIC ENERGY AGENCY, regulatory Inspection of Nuclear Facilities and Enforcement by the Regulatory Body, Safety Standards Series No. GS-G-1.3 (in press). 155 x The operator has a strong and effective management, good safety culture and selfassessment systems for ensuring the safety of the facility and the protection of workers, the public and the environment; x The required quality and performance are achieved and maintained in the safety related activities of the operator and in the structures, systems and components of the facility throughout its lifetime; x Sufficient numbers of personnel, who have the necessary competences for the efficient and safe performance of their duties, are available at all times throughout all stages of the facility’s lifetime; x Deficiencies and abnormal conditions are identified and promptly evaluated and corrected by the operator and duly reported to the regulatory body as required; and x Any other safety issue that is neither specified in the authorization nor contained in the regulation is identified and appropriately considered. Regulatory inspection includes a range of planned and reactive inspections over the lifetime of a nuclear facility and inspections of relevant parts of the operator’s organization and contractors to ensure compliance with regulatory requirements. Regulatory enforcement actions are actions to deal with non-compliance by the operator with specified conditions and requirements. These actions are intended to modify or correct any aspect of an operator’s procedures, and practices, or of a facility’s structures, systems or components as necessary to ensure safety. Enforcement actions may also include the imposition or recommendation of civil penalties and other sanctions. The regulatory body has legal authority for conducting and co-ordinating its inspection and enforcement responsibilities during the site evaluation, design, construction, commissioning, operation, decommissioning or closure of nuclear facilities under its authority. With regard to inspection, the regulatory body shall has the authority: x To establish regulations and issue guidance which, among other things, serve as the basis for inspection; x To enter the premises of any facility subject to the regulatory process at any time for the purposes of inspections; x To require preparation of, access to, and submission of reports and documents from operators and their contractors when necessary; x To seek the co-operation and support of other governmental bodies and consultants with inspection related competence or qualifications; and x To communicate information, findings, recommendations and conclusions from inspections to other governmental bodies or interested parties, including high level officials, as deemed appropriate in view of the significance of the issue. With regard to enforcement, the regulatory body has the authority: 156 x To require the operator to take action to remedy deficiencies and prevent recurrence to curtail activities or to shut down the facility when the results of inspection or another regulatory assessments indicate that the protection of workers, the public and the environment might be inadequate; and x To impose or recommend civil penalties and other sanctions for non-compliance with specified requirements. The regulatory body has adequate powers and authority to enforce compliance with its requirements and licence conditions, and has available a number of enforcement methods to provide sufficient flexibility to implement the method best suited to the seriousness of the violation and the urgency of corrective actions. The degree of authority of the regulatory inspectors is clearly defined, and clear administrative procedures are adopted and implemented. The regulatory body, including a dedicated support organization if appropriate, has staff capable of performing activities required by its inspection programme or, if outside consultants are used, staff capable of adequately supervising the consultants’ work and independently evaluating its quality and the results. It is neither necessary nor practicable for the regulatory body to be entirely selfsufficient in all technical areas relating to inspection. It may therefore be necessary to use consultants in specialized areas. It may occasionally be necessary owing to a heavy short term workload to augment the regulatory body’s inspection staff with consultants having knowledge and experience equivalent to that of the regulatory body’s inspection staff. 4.1.1. Regulatory inspection programme The regulatory body establishes a planned and systematic inspection programme. The extent to which inspection is performed in the regulatory process will depend upon the potential magnitude and nature of the hazard associated with the facility or activity. Specific responsibilities of the regulatory body in this regard include: x Conducting planned inspections in all stages of the authorization process; x Carrying out reactive inspections, if appropriate, in response to events, incidents or accidents; x Identifying and recommending necessary changes to the safety requirements approved by the regulatory body, specified in the authorization or contained in the regulations; x Preparing reports to document its inspection activities and findings; x Verifying the operator’s compliance with regulatory requirements and otherwise confirming continuous adherence to safety objectives; x Ensuring that the operator has adequate, comprehensive and up-to-date information on the status of the facility and for the demonstrating its safety, and a procedure to maintain this information; 157 x Verifying that corrective actions have been undertaken by the operator to resolve safety issues identified previously; x Tracking recurrent problems and non-compliance; x Developing such procedures and directives as may be necessary for the effective conduct and administration of the inspection programme; and x Determining and recommending suitable enforcement actions when non-conformance with requirements is identified. Regulatory inspection programmes are comprehensive and are developed within the overall regulatory strategy. These programmes are thorough enough to provide a high level of confidence that operators are in compliance with the regulatory requirements and are identifying and solving all actual and potential problems in ensuring safety. In order to establish or modify an inspection programme different methods may be used when selecting the inspection areas and establishing priorities for the inspection programme. The regulatory body should consider the following: x The results of previous inspections; x The safety analysis performed by the operator and the results of regulatory review and assessment; x Performance indicator programmes or any other systematic method for the assessment of operator’s performance; x Operational experience and lessons learned from the facility and other similar facilities as well as results of research and development; and x Inspection programmes of the regulatory bodies of other states. The regulatory body has the capability to undertake inspection activities at any time as necessitated by the normal operation or by any fault conditions or operator’s activities at the facility. The planning of the programme of inspections will also be influenced by the geographical location of the regulatory body in relation to the facility to be inspected. In particular it will depend on whether inspectors are permanently at the facility site (resident inspectors) during one or more stages of the facility’s lifetime. 4.1.1.1. Types of inspections The regulatory body conducts two general types of inspection, namely planned inspections (including special inspections) and reactive inspections. Inspections may be conducted by individuals or teams and may be announced or unannounced, as part of a general programme or with specific aims. Planned inspections are those carried out in fulfilment of, and in conformance with, a structured and largely pre-arranged or baseline inspection programme developed by the regulatory body. They may be linked to operator schedules for the performance or completion 158 of certain activities at all stages of the authorization process. They are scheduled in advance by the regulatory body. Special inspections may be carried out to consider specific issues that may be of interest to the regulatory body, such as new research and development findings and experience from other facilities. This type of inspection may range from a single inspector reviewing a specific inspection area, to a team inspection of several inspectors reviewing several different inspection areas. Team inspections, which may be multidisciplinary, provide an in-depth independent and balanced assessment of the operator’s performance. Team inspections are of particular value once safety problems have been identified, since normal inspections cover only small samples of operator’s activities in any particular area. Reactive inspections, by individuals or teams, are usually initiated by the regulatory body in response to an unexpected, unplanned or unusual situation or an incident, in order to assess its significance and implications and the adequacy of corrective actions. The regulatory body assumes the need for reactive inspections and plans its requirements for staff and consultants accordingly. 4.1.1.2. Provision of guidance to inspectors To ensure that all nuclear facilities in a country are inspected to a common standard and that the level of safety is consistent, the regulatory body provides written guidance in sufficient detail for its inspectors. The guidelines ensure a systematic and consistent approach to inspection, allowing sufficient flexibility for inspectors to take the initiative in identifying and addressing new concerns as they arise. Appropriate information and guidance are provided to the inspectors concerned and each inspector is given adequate training in following this guidance. The authority vested in inspectors should oblige them to conduct themselves on-site in a manner that inspires confidence and respect concerning their competence and integrity. 4.1.2. Inspection areas Inspection by the regulatory body concentrates on areas of safety significance. The stages of inspection covers: site evaluation, design and construction, commissioning, operation and decommissioning. In the following key topics at each stage are covered. Table XIV presents areas of nuclear facilities that may be of particular interest for inspection at different stages of the authorization process. 4.1.3. Implementation of an inspection programme The regulatory body has an overall plan for the programme of inspections that it will undertake at a facility. In determining the intervals of inspections and the level of effort to be applied, the regulatory body takes into account the relative significance for the safety of the facility of each authorization stage and inspection area. 159 Particular aspects that need to be considered in determining the intervals of inspection in the various areas and the level of inspection effort to be applied include: x The safety significance of the issues; x The inspection methods and approaches used (for example, the use of resident inspectors may affect the frequency and intensity of inspections); x The qualified personnel and other resources available to the operator; x The performance record of the operator and the facility, including the number of violations, deficiencies, incidents and problems encountered, and the number of reactive inspections required; x Results of regulatory review and assessment; x The type of facility; x The personnel and other resources available to the regulatory body. x Results of previous inspections. To facilitate management of the allocation of inspection resources, the regulatory body develops a site specific inspection plan that takes into account the factors presented in Table XIV. The inspection plans are recorded in such a way that can easily be modified to take into account continuing activities, and they are reviewed periodically and adjusted as necessary. The inspection plan is flexible enough to permit inspectors to respond to particular needs and situations. The regulatory body establishes a process of periodically evaluating inspection findings, identifying generic issues and making arrangements to enable inspectors from various plants, locations or projects to meet to exchange views and discuss the findings and issues. 160 161 x x x x Safety related materials, SSCs meet the requirements established by the regulatory body and conform to good practices; Construction activities associated with manufacturing and installing SSC items are conducted in accordance with regulatory requirements and in conformity with general safety objectives. The “as-built” configuration of SSCs is in conformity with the assumptions made in the review and assessment; any deviation is analyzed and justified, and the documentation is updated; The operator’s system and procedures for quality assurance and inspection are adequate to ensure the conformance of equipment to the technical specifications. The chief objectives of the regulatory inspection programme during the design and construction of the facility are to verify that: The design and construction stage Before construction of the nuclear facility begins, the regulatory body monitors as appropriate, through its inspection programme, site preparation activities undertaken by the operator, including verification of site characteristics and authorized excavation and earthwork. Specific inspection objectives in these areas include verification that the operator is undertaking siting activities in full conformity with existing regulatory requirements and assurance that the site preparation work does not proceed beyond that permitted by any authorization in force. During site preparation, the regulatory body is also concerned with confirming that the site characteristics remain consistent with the description presented by the operator in its application and in the subsequent supporting documentation submitted to the regulatory body. The site evaluation stage TABLE XIV. INSPECTION AREAS FOR NUCLEAR FACILITIES Inspection by the regulatory body during the commissioning stage focuses on four broad areas of the operator’s activity: x Testing before introduction of fissile and radioactive material; x Initial introduction of fissile and radioactive material; x Testing of operations involving fissile and radioactive material; and x Other commissioning activities. Activities associated with commissioning will normally begin before construction is completed. Accordingly, the regulatory body prepares to inspect areas of commissioning activity in parallel with activities of the construction phase. In some countries the regulatory body approves the commissioning programme, and for advancing beyond certain hold points, the regulatory body’s agreement has to be obtained. The commissioning stage The regulatory body inspects design and construction activities in a number of areas in order to attain these objectives. In particular, the following areas receive close attention in the construction stage: x Mixing and placement of concrete and its reinforcement, especially in foundations, and safety related structures, particularly containment structures; x Construction of cooling intake and discharge systems; x Installation of safety related components, particularly containment and shielding boundaries, internals of vessels which will contain fissile and radioactive material, and equipment to be used in radioactive areas. x Installation of safety related control, protection and power systems; x Areas of the facility that are inaccessible after construction is completed, particularly systems and components embedded in the foundation or building structure; x Housekeeping in respect of safety related SSCs; and x The quality assurance systems of the designer, manufacturer and constructor. 162 In relation to the initial introduction of fissile and radioactive material, regulatory inspection personnel are present at the facility site to observe: x Tests of the main control room; x Access control and radiation protection programme; x Emergency preparedness and demonstration of the emergency plan; x Systems for monitoring radioactive releases and meteorological conditions; The number and the key tests examined and directly witnessed by the regulatory body will vary depending on the importance of the test for safety. This may involve the regulatory body in inspecting tests of: x Safety related systems (e.g. instrumentation and control systems, shutdown systems and standby systems); x The integrity of the containment and shielding boundaries (e.g. hydraulic tests of pressurized structures) as appropriate; x The susceptibility of SSCs to vibration or to other design loads; x Secondary containment integrity (e.g. leak rate tests); x Emergency power systems as appropriate; x Communication capabilities; x Ventilation systems; and x Integrated cold and hot functional tests. Testing before introduction of fissile and radioactive material encompasses those activities and tests performed before the introduction of fissile and radioactive material by the operator to demonstrate that SSCs and components function properly and conform to design requirements. The regulatory inspection programme includes: x Examination of documented procedures to verify compliance with review and assessment conclusions; x Review of the implementation of these procedures; x Direct observation of the performance of key pre-operational tests; x Examination of the results of selected tests; and x Confirmation of the integrity of any engineered barriers. Distribution of fissile and radioactive material and checks on process and/or criticality calculations; and Systems involved in the handling of radiation or fissile material. Other areas requiring inspection by the regulatory body during the commissioning stage include: x The ability of the operator’s management to progress from construction to operation; x Management’s provisions for putting the emergency plan into effect; x Training and qualification of the operators; x Hold points during the operational testing phase and into the full operational phase are closely monitored. Testing of operations involving fissile and radioactive material encompasses operator activities up to nominal operating conditions: x SSCs are tested to ensure that they have been constructed and installed properly and are capable of functioning in accordance with approved design requirements. x Consideration is given to the performance of radiation surveys of facility shielding (e.g. concrete walls) during facility start-up. x The operator is carrying out tests at increasing operational levels; this testing includes the recording; and analysis of data relating to temperatures, pressures, radiation levels, flows and variations in process parameters as well as other relevant parameters; x The safety aspects of the operator’s procedures of operational tests are examined and assessed as well as a sample of the test documentation and results of the tests. Regulatory inspection also involves monitoring and direct observation of several tests. x x 163 Operator’s training programme including simulator training: the adequacy of the operator’s staff training programme is assessed routinely to ensure that the training reflects actual facility conditions and operator responses to abnormal events and emergency conditions. Safety systems: a sampling review of safety systems is performed to evaluate: any identified degraded equipment; discrepancies between installed component/system hardware and the facility drawings; controls for performing maintenance on equipment; and the quality of performance of operations staff in log keeping and record keeping and in routine monitoring of equipment. x x The area of operations should include the control and execution of activities directly related to operating a facility to the operating limits and conditions established by regulatory requirements or by procedures or specifications. Inspection personnel should perform safety verification of control room activities and the abilities of the operations staff to discharge their duties. To perform this safety verification, the following should be carried out: x Operating procedures: a sampling review of operating procedures, including all those procedures for normal operations, abnormal or offnormal conditions, and emergency conditions, is performed. Inspection focus on the operating personnel’s adherence to procedures including limits and conditions for operation and should also evaluate the usability and adequacy of the procedures. The operation stage: Once the facility has attained the authorized operation stage, the regulatory body implements an inspection programme to verify systematically the operator’s compliance with regulatory requirements and conformance to general safety objectives, and to detect potential safety problems. Management: the management’s involvement in the facility and its effectiveness in providing the appropriate attention to operational issues, including abnormal events, is evaluated. Inspections consider whether the organizational structure is suitable, if there are adequate numbers of staff, how management and staff communicate, and how management that emphasizes the importance of safety encourages a good safety culture. The decommissioning stage: During the decommissioning stage of a nuclear facility, inspection activities, e.g. concentrate on: the adequacy of the operator’s procedure for the control of each phase of decommissioning; the removal of radioactive material; the decontamination and dismantling activities; the waste management strategy for the treatment, conditioning, storage and disposal of all radioactive wastes; the physical condition of the facility especially the surveillance of the integrity and/or availability of relevant SSCs. Outages: Inspection covers outage activities. In addition to providing opportunities to observe modifications to the facility, outages provide opportunities to observe activities in areas that are not always accessible during normal operation. Before bringing back the facility to normal operation, it is usual for the regulatory body to perform a special inspection. Topics requiring specific attention include: x Radiation protection; x Maintenance, inspection and testing; x Engineering; x Modifications; x Emergency preparedness; x Security; x Quality assurance programme; x Effectiveness of management systems; x The operator notifies the regulatory body of its schedules for carrying out activities and tests of regulatory interest and submits or makes available to the regulatory body the procedures for these activities in a timely manner. To facilitate this process, the regulatory body specifies well in advance to the operator which activities and tests it wishes to be informed of. 4.1.3.1. Preparation of an inspection Before an inspection is carried out the inspection personnel is thoroughly prepared for the task. The preparation will depend on the type and method of inspection to be used. Preparation may include a review of the following: x x x x x x x Regulatory requirements relating to the inspection area; Past operating experience relating to the inspection area; Previous inspection findings and enforcement actions relating to the inspection area; Past correspondence between the regulator and the operator relating to the inspection area; The safety analysis report and operating limits and conditions; Documentation on operation and design for the facility; Operator’s management procedures and quality assurance programme. 4.1.3.2. Methods of inspection The inspection programme of the regulatory body incorporates and utilizes a variety of methods as follows: x x x x Monitoring and direct observation, such as working practices and equipment; Discussions and interviews with the personnel of the operator and the contractor; Examination of procedures, records and documentation; or Tests and measurements. 4.1.3.3. Inspection reports and findings A report of each regulatory inspection is written by the inspector(s) who conducted it. The report is reviewed and approved according to established internal procedures. The purposes of inspection reports are: x To record the results of all inspection activities relating to safety or of regulatory significance; x To document and record an assessment of operator activities in relation to safety; x To record relevant discussions held with facility staff, plant management and other concerned persons; x To provide a basis for notifying the operator of the inspection findings and of any regulatory requirements, and to provide a record of any enforcement action taken; x To record any findings or conclusions reached by inspectors; x To record any recommendations by inspectors for future action by the operator or the regulatory body, and to record progress on recommendations from previous inspection; and x To inform other members of the regulatory body; x To contribute to maintaining institutional memory. 164 Inspection reports typically contain: x x x x x x x x x x x x x The facility, purpose and date of inspection, inspectors’ names; The methods used in the inspection (interviews, observations, paper review etc.); Reference to applicable regulations; Criteria used in the assessment; Details of facility areas, activities, processes, systems or components which have been inspected, assessed or reviewed; A record of actual or potential problems relating to safety; A record of the results of any checks for compliance with the terms and conditions of the authorization for the facility and applicable national laws; A record of any deficiency or violation found during regulatory inspections, including a record of what has been contravened; A record of any regulatory action taken by inspectors and any consequent action taken by the operator in the period covered by the report; A record of discussions held with the facility’s staff, the operator’s managers and other persons, including a record of discussions with facility staff, the operator’s managers about points of concern; A record of the inspectors’ opinion about the operator’s or relevant facility manager’s response to any matter of concern drawn to their attention after a regulatory inspection; A record of the findings or conclusions of the inspectors including corrective or enforcement actions that should be taken; A record of recommendations made by inspectors for future action, such as a need to advise other inspectors or operators about particular problems, proposals for further inspections or proposals for enforcement actions. Distribution of inspection reports should be according to established procedures. 4.1.4. Enforcement actions The regulatory body has statutory powers to enforce compliance with its requirements as specified in the applicable regulations and in license conditions, including the authority to require an operator to modify, correct or curtail any aspect of a facility's operation, procedures, practices, systems, structures or components as necessary to ensure the required level of safety. Within the legal framework under which it is established, the regulatory body may develop and issue enabling regulations, detailing procedures for determining and exercising enforcement actions as well as the rights and obligations of the operator. Enforcement actions are designed to respond to non-compliance with specified conditions and requirements. The action shall be commensurate with the seriousness of the non-compliance. Thus there are different kinds of enforcement actions, from written warnings to penalties and, ultimately, withdrawal of an authorization. In all cases the operator shall be required to remedy the non-compliance, to perform a thorough investigation in accordance with an agreed time-scale, and to take all necessary measures to prevent recurrence. The regulatory body shall ensure that the operator has effectively implemented any remedial actions. 165 The extent of the authority of the regulatory inspectors to take on the spot enforcement actions shall be determined by the regulatory body. The degree of authority given to an inspector may depend on the structure of the regulatory body and on the inspector'’ role and experience. Where on the spot enforcement authority is not granted to individual inspectors, the transmission of information to the regulatory body shall be suited to the urgency of the situation so that necessary actions are taken in a timely manner; information shall be transmitted immediately if the inspectors judge that the health and safety of workers or the public are at risk, or the environment is endangered. Enforcement actions on the spot by regulatory inspectors are appropriate only in unusual situations. In normal situations, decisions regarding enforcement actions, particularly those involving fines, curtailment of activity or suspension of authorization, should be approved by the regulatory body according to the procedures established in each state. 4.1.4.1. Factors determining enforcement actions A range of enforcement measures are available to the regulatory body, such as the issuing of written warnings or directives, or orders to curtail activities, the modification or revocation of licences or authorizations, and the imposition of penalties. The factors to be taken into account by the regulatory body in deciding which enforcement action is appropriate in each case include: x The safety significance of the deficiency and the complexity of the correction that is needed; x The seriousness of the violation; x Whether a violation of a less serious nature has been repeated; x Whether there has been a deliberate or wilful violation of the limits and conditions specified in the authorization or in regulations; x Who identified and reported the non-conformance; x The past performance of the operator and its related trend; x The need for consistency and transparency in the treatment of operators. 4.1.4.2. Methods of enforcement The main methods of enforcement actions are: x x x x Written warnings or directives; Orders to curtail specific activities; Modification, suspension or revocation of the authorization; Penalties. The regulatory body has the authority to impose or recommend penalties, for example fines on the operator, as a corporate body or individuals, or to institute prosecution through the legal process, depending upon the legal system and authorization practices of the countries. The use of penalties is usually reserved for serious violations, for repeated violations of a less serious nature, or for deliberate and wilful non-compliance. Experience in some countries is that imposing penalties on the organization rather than individual workers is preferable and more likely to lead to improved safety performance. 166 The regulatory body has clear administrative procedures and guidelines governing the use and implementation of enforcement actions. All inspectors and other regulatory body staff should be trained in and knowledgeable about the procedures and guidelines. If there is no immediate risk to safety, the regulatory body allows reasonable periods of time for the operator to complete corrective action. These time periods reflect the seriousness of the issue and the complexity of the corrective action required. However, an integrated approach to safety considers the contribution to the total risk to the facility of each individual deficiency needing corrective action. All enforcement decisions shall be confirmed to the operator in writing. Internal records of decisions relating to enforcement actions and any supporting documentation is kept in such a way that can be easily accessible and retrieved when required. The regulatory body has a system to audit, review and monitor all aspects of its inspection and enforcement activities to ensure that they are being carried out in a suitable and effective manner. The system ensures that any changes due to improvements in techniques or otherwise, are implemented. 4.2. EXAMPLES OF SPECIFIC INSPECTIONS 4.2.1. Regulatory inspection in Finland 4.2.1.1. General arrangements for inspection In Finland all nuclear power plants (two sites, four units) are in the operating stage. This presentation concentrates on the regulatory inspections during operation. Radiation and Nuclear Safety Authority (STUK) acts as the regulatory body for nuclear power plants in Finland, i.e. as nuclear safety authority, radiation protection authority, pressure vessel authority and nuclear material and safeguards authority. Nuclear Energy and Radiation Protection Acts and Decrees define the regulatory framework in Finland. General safety requirements are given in the Decisions by the State Council (i.e. Cabinet of Ministers). A detailed technical and administrative instruction relative to the design, construction, commissioning and operation of nuclear power plants are given in the YVL guides published by the STUK. A detailed list of YVL guides is presented in Appendix V. These guides form a practical basis for the regulatory work. In addition to the YVL guides STUK has internal guides (YTV guides) which define inspection related practices. The organization chart of STUK is given in Fig. 8. The guide covering regulatory control of operating NPP’s contains reviews and inspections which can be divided in three categories as follows: x Periodic inspections as specified by STUK in plant specific programmes; x Inspections of specific technical and other topics; and x Safety re-assessment. 167 Periodic inspection programme Inspections contained in the periodic inspection programme are focused on the power company’s activities important to safety. The control aims to ensure compliance with the regulations and the plans and programmes approved by STUK, and to assess the appropriateness of the power company’s activities. In preparation for and in connection with each inspection, examples of the results of the activities in question are reviewed. Periodic inspection programme was renewed during 1998. STUK’s inspection activities are focusing at licensee main working processes. The programme has three levels: x Management of safety; x Main working processes; and x Inspections of the organizational units and specific technical areas. Because of the renewal of the programme the number of inspections was reduced but the scope of new inspections was enlarged. Inspections of specific technical and other topics Nuclear power plant operation includes activities which can be implemented only after STUK’s approval of the activity has been granted. The approvals are tied to preceding inspections. It is also verified afterwards that the implementation complies with the plans and meets possible regulatory conditions. Requirements and obligations which apply to inspections of different topics are presented in the YVL guides. The inspections cover the following items: documents concerning operation; competence of personnel; outage planning and execution; refuelling of reactors in-service inspections done or contracted by the operating organization; in-service inspections as referred to in the Decree on pressure vessels; repairs, modifications and preventive maintenance; postoutage plant start-up; procurement of nuclear fuel; safeguards; exemption of nuclear waste from regulatory control. The important inspections which the operating organization is obliged to request are the inspections of repairs and modifications. For all the repairs of failed safety relevant components, as well as for all modifications of the safety systems the operating organization has to present their plans in advance for STUK approval. The plan has to include technical documentation as needed to verify the acceptability of the functional features, structure, and materials of the repaired or new equipment. Also the repair or installation method, quality control, and tests after the work have to be presented. When the work has been completed, the operating organization has to ask for construction and/or commissioning inspections. Safety re-assessment The safety level of the nuclear power plant is re-assessed after any abnormal event, and the need for corrective measures is considered. To ensure a systematic analysis of the event and its causes, an investigation team by STUK is nominated. The team has to find out root causes of equipment failures and human errors and weaknesses in the performance of the operating organization as a whole. At the end the team has to present a report including 168 recommendations for corrective actions, intended to prevent re-occurrence of similar events. A similar parallel activity is required from the operating organization, and it has to submit its special report for regulatory approval. A thorough evaluation of the situation at the Finnish plants is also done if an event reported from a foreign nuclear power plant is suspected to be of such a nature that it might as well occur in our country. Besides feedback from the operating experience, safety reassessment is done on the basis of PSA studies and in view of new information gained from safety research programmes. 4.2.1.2. Relationship between the regulatory body and operating organizations, enforcement actions In Finland it is emphasised that the licensee and in specific the manager of the operating organization has the full responsibility for the safety of his plant. The responsibility of the regulatory body is to define the safety requirements and to verify by inspections whether these requirements are fulfilled. An atmosphere of confidence and respect between the regulatory body and the operating organization is regarded as necessary to achieve adequate information transfer for inspection purposes. The regulatory inspectors may at any time require information they find necessary for their work, and they have access to all documents. They also have unhindered access to all installations, offices, workshops, and stores. As needed, they may carry out own measurements, take samples and install equipment necessary for supervision. If particular problems occur during operation, the regulatory body requests the solutions to be proposed by the operating organization. The regulatory body may indicate some constraints but it does not suggest solutions. All the inspection activities are channelled through the operating organization, and the regulatory body does not directly inspect suppliers (factories) and contractors who work for the operating organization. If needed, STUK has strong legal tools at its disposal. If the regulations or licence conditions have not been observed, or if the safety is otherwise endangered, STUK may order removal of the defect or the fault within the time specified. The order may be reinforced by a conditionally imposed fine, or a threat to interrupt or limit the operation. STUK may also have the deficiency fulfilled by some third organization at the expense of the operating organization. If a defect or fault causes an immediate danger or cannot be removed within given time, STUK may interrupt the operation or limit it in an appropriate manner. A police authority shall provide executive assistance if needed. Sanctions specified in the nuclear energy law for those who have deliberately or by negligence committed a nuclear energy crime are very strong. In such situations the persons would be prosecuted by a public prosecutor after having received the statement by STUK on the matter. The strong enforcement tools have not been used in practice. We think that for achievement of a high safety level it is better to motivate people to do good work, rather than to threaten them by fines or other penalties. Especially we want to avoid charges against individuals who have made mistakes or have been shown to have shortcomings in training and 169 information provided to them. It is also recognized that the use of legal or monetary penalties do not resolve the structural root causes of the problems. Experience has shown that a very effective means of enforcement is to give the public information about abnormal events at the nuclear power plants. If the plant safety is directly endangered because of some fault, or if some previously unknown safety hazard is observed, the STUK could demand plant shutdown on the basis of its own judgement. In practice, it is enough to have a serious discussion with the plant manager who is responsible for the safety of his plant. After such discussion the plant manager has always preferred making the shutdown decision himself. One reason is that a shutdown ordered by STUK would be negative for the public reputation of the operating organization. 4.2.1.3. Preparation for the inspections and reporting the results Inspection planning An annual inspection plan is made before the end of the year for the next year. Experience from previous inspections, needs for development, large modifications and needed settlements etc. may influence the inspection plan. In the annual plan a responsible unit is mentioned. This plan does not hinder the inspectors from doing extra inspections if they are needed. A specific annual focus area is presented by the management. The plan is submitted to the licensee for information. The inspections are performed according to the inspection procedures. The procedures are general enough so that they do not bind the inspector too much but give the inspector also some freedom to vary inspection topics and details. The procedures describe the area of inspection, background information needed and methods of inspection. Information is collected continuously for the planning of inspections such as: x x x x x x x Regulatory requirements and international standards; Licensee QA manuals and instructions; Results from previous inspections and audits; Information from event investigations and root cause analyses; Information from resident inspectors and other regulatory work; Safety indicators; Other information (e.g. international experience). Through the analysis of information an initial assessment of the inspection area is made and specific inspection topics can be chosen. In this phase time and resource allocation is made. For each inspection a detailed plan is made. The plan is based on the procedure and specific topics to be covered in detail are mentioned. The plan also includes dates and times, participating NPP units and participating inspectors. The plan will be sent to the NPP 1– 2 weeks before the inspection. Some topics can be inspected also without prior notice if that is considered necessary. 170 The group will be nominated according to chosen inspection area and expertise needed. The principle is that each person has an active role in the inspection. Each inspector has his or her own sub-topic in the inspection. The inspection begins with the start-up meeting with the licensee representatives. During the meeting the inspection topics, schedule and inspection methods are discussed. After the meeting the group will split up to review their own topics. During the inspection the group has meetings to discuss about findings and to build up a general view on the area. During the inspections that last for several days it is useful to have daily meetings with the licensee representatives. At the end the results are compared to the set criteria. Conclusions are written with justifications. The results of the findings and the general assessment of the inspection area are presented to the licensee in the exit meeting. Reporting the results Minutes of the inspection are written and signed by the inspector and NPP counterpart. Specific findings and remarks that need improvement and time schedule are mentioned if needed. For the minutes and remarks there are specific forms that are filled in. In addition to the minutes an inspection report is written. The report contains a summary part and justification part. In the summary part the following headings are included: x x x x Major findings which need corrective actions; Practices where there is potential for improvement; Development taken place since the previous inspection; Remarks concerning management of safety. In the justification part, findings and conclusions are justified and, in addition, inspectors have freedom to handle the topics which they consider necessary to write down for the future or for transferring information to colleagues. After the inspection report has been written a decision of STUK is prepared by the inspection group. The decision includes STUK’s requirements based on the findings made during the inspection. It is presented to the management of the department of Nuclear Reactor Regulation for approval. The decision is submitted to the licensee one month after the inspection. 4.2.1.4. The structure of the periodic inspection programme The periodic inspection program is divided into three different levels: x Management of safety (A level); x Main working processes (B level); x Inspections of the organizational units and specific technical areas (C level). The regulatory control aims to ensure compliance with the regulations and the plans and programmes approved by STUK, and to assess the appropriateness of the power company’s activities. Each inspection area has it’s own requirements that are set e.g. in the Nuclear Energy Act, Nuclear Eergy Decree, Decisions by the Council of State, YVL-guides and STUK’s decisions. Furthermore licensee has it’s own requirements set in the QA Manual 171 and procedures. These requirements form the inspection criteria against which the licensee activities are reviewed in the periodic inspections. In each inspection area also the functionality of QA system and competence and training of personnel as well as the adequacy of resources are assessed. Management of safety The inspection concentrates on the management activities at the plant from safety point of view. The aim is to find out the status of safety matters during decision making processes when dealing with real life situations, plant documentation and future planning. Also the capability to recognise safety matters will be assessed. The following issues are under this inspection: x Management principles; x Safety policy; x Safety goals, safety expectations from the personnel — procedures to commit the personnel to goals and plans; x The position and activities of management support groups; x Procedures to develop and maintain safety culture; x Follow-up of the overall performance. The inspection will be carried out once every two years. Main working processes In these inspections attention will be paid on the main working processes at the plant. The assessment concentrates on the work performance of different organizational units and to the fulfilment of safety and quality related requirements. Special attention will be paid on: x The appropriateness and performance of the methods and procedures used in the main working processes; x The interface between different working phases; x The feedback included into the main working processes and the use of feedback in the organization; x The support functions for each main process (training, QA and documentation). The main working processes at the plant are divided into three groups: safety assessment and enhancement, operations and maintenance. Each group includes different parts that support the main process. For example: B1. Safety assessment and enhancement: x x x x 172 Correspondence to the changes in safety requirements; Use of safety research results; Operational experience feedback in the safety assessment and development; Process of plant modifications. B2. Operations: x x x x Operation of the plant; Surveillance of operation; Control of disturbances; Periodic testing. B.3 Maintenance of the plant: x x x x x Maintenance; Control of ageing; Control of outages; Procurement ; Administrative control of work. The specific inspection topics are chosen during the preparation of the inspection taking into account the focus areas specified to each year. Each area will be inspected once a year. For example the inspection “safety assessment and enhancement” concentrates on the activities to ensure, develop and maintain safe plant operation. One of the main areas is plant modification processes and the inspection includes then the following issues: x Capability to identify the need for modifications based on the operating experience, results of safety research, results of safety assessment and analysis, and regulatory requirements; x Design, implementation and commissioning of plant modifications and control of plant documentation; x Management activities to encourage personnel to make safety improvements and allocation of resources. Specific attention is paid to the resource allocation. Maintaining plant safety presupposes that there are adequate resources in modification process (design and implementation). The assessment of the adequacy of resources is done based on the operating experience (designed and implemented modifications). Inspections of the organizational units and specific technical areas The goal of these inspections is to assess and verify the fulfilment of the set requirements in organizational units and specific technical areas. At the same time these inspections give valuable information to the level A and B inspections. The practical activities are inspected against requirements and instructions. The status of the area is assessed as well as the development activities and resources. Inspections related to the organizational units and specific technical areas are the following: 173 x x x x x x x x x x x x C1: C2: C3: C4: C5: C6: C7: C8: C9: C10: C11: C12: Safety systems and functions Electricity and I&C technique Mechanical components Civil engineering and structures Use of PSA and failure statistic Information management Chemistry Nuclear waste management Radiation protection Fire protection Emergency response arrangements and radiological safety of the environment Physical protection. These inspections will be performed once a year. Evaluation of safety performance of licensee Some countries have or are developing methods for evaluation of safety performance of licensee on the basis of inspection results, operational safety related data, performance indicators etc. Most famous is the US SALP method which suits well to large countries having a lot of NPP’s for comparison. Small countries act mainly on individual basis and by using case by case consideration. However, development of systematic means to provide objective operational safety review would be ideal to support decision making. STUK prepares an annual summary report on the results of periodic inspection programme. In this report the following topics are included: x Assessment concerning the safety of nuclear plants, licensee activities and identified areas that need improvement; x Assessment of the implementation of the inspection programme and possible improvement areas; x Improvement areas identified during STUK’s other activities. In the assessment of management of safety, attention is paid to the safety significance of individual findings and to the repetition of similar observations (for example common cause failures or deficiencies which could result in common cause failures). The status of plant safety, management of safety, QA and safety culture will be covered. The plant modifications will be assessed as well. According to this assessment the corrective actions to improve the plant safety are presented. The report includes the summary of the implementation of the inspection programme and the suggestions to improve the programme, inspection methods and internal procedures. Possible correlation between the findings of STUK and licensee activities to improve the plant safety will be assessed. The annual report is handled by the offices and in the department meetings. In the department meeting the measures to deal with possible corrective actions will be decided. The report will be attached to the annual report of the department. 174 4.2.1.5. Incident investigation methods in Finland Guidelines and criteria Requirements relating operating experience are presented in the legislation and exactly in the Decisions of the Council of State on the general regulations for the safety of nuclear power plants. According to the requirements operating experience from nuclear power plants shall be systematically followed and assessed. For further safety enhancement, actions shall be taken which can be regarded as justified considering operating experience and results of safety research as well as the advancement of science and technology. Guide YVL 1.9 “Quality assurance during operation of nuclear power plants” presents requirements relating to incident investigation. Guide YVL 1.11 “Operating experience feedback” presents the detailed requirements and practices relating guide YVL 1.5 “Reporting nuclear plant operation to STUK”. The reporting criteria can be divided into tree main categories: immediate, regular and incident reports: Immediate reporting A licensee shall report by telephone without delay all emergencies and incidents assessed to be of interest in Finland or abroad. Emergencies are events during which plant safety may be or is significantly compromised. Regular reports concerning specially information of incidents are: x Daily reports contain plant operational data, faults in safety-significant structures, systems and components; x Quarterly reports contain e.g. summaries of the operational data and incidents; x Outage reports contain e.g. the important incidents, the significant deficiencies and faults observed during periodic tests and inspections; x Semi-annual reports concerning feedback on operating experience a summary of activities which power company has done based on operating experience gained at own and at other nuclear facilities. The report describes all significant operational events which have been dealt with and also their handling phases. It also describes the corrective measures already implemented and decisions of corrective actions, which will be carried out later. Incident reports x Special reports contain all safety significance incidents and faults. The guide YVL 1.5 gives examples of events which meet the above mentioned criteria. Special reports are submitted in two weeks. x Root cause analysis report: both utilities have developed root cause analysis methods to investigate the most important incidents. The root cause analysis report shall be submitted in four months from the event to STUK for information. In the root cause analysis reports the licensee gives detailed information on root causes and corrective actions. 175 x Reactor scram reports and operational transient reports are sent in one month. Such events are i.e. events which include a forced reactor or generator power decrease. IRS system STUK is a national body in the IRS-system maintained by IAEA and NEA. STUK sends all received IRS-reports to the Finnish power utilities for evaluation. STUK prepares all Finnish IRS-reports and sends them to IAEA and NEA. Responsibilities for incident investigation The fundamental principle is that the licensees analyze their own operational events and send the results to STUK for information. STUK may conduct an independent analysis of its own if the utility’s organization has not performed as planned during an event, and when an incident is judged to result in significant modifications in the plant technical design or instructions. An examination can also be launched when the utility’s analysis is considered deficient or STUK’s investigation is assessed to have a positive impact on safety. In special cases, the examination can also be carried out jointly with the utility. An example of such joint-examination is an event for which there were problems in communication and in cooperation between the authority and the licensee. All reports received from domestic facilities are processed by STUK and the manner of handling depends on the report type and the safety significance of the event. When a report or a piece of important information reaches STUK it will first be assessed whether the event requires immediate action by STUK. The matters to be assessed are i.e. prerequisites to continue operation of the plant. Incident investigation methods and practices Both Finnish nuclear utilities have established procedures for the follow-up of domestic and foreign operational events. It is important that the utilities fully analyze operational events at their plants and carry out the necessary corrective actions. It is also important that the lessons learned from operational events abroad are implemented. Event investigation in Finland is based on legislation. Guide YVL 1.11 requires that a licensee examines all operational events which have safety significance, using a sophisticated root cause analysis method if an event’s root causes are not evident. Both Finnish utilities have their own methods for root cause determination. It is important to specify the correct root causes. Root cause is a cause without which the event would not have taken place. After the elimination of the underlying root cause the recurrence of the incident can be reliably prevented. The facilities have designated their own personnel responsible for operational experience feedback and also employ also external experts. A nominated group of inspectors in STUK supported by the rest of STUK organization takes care of the operational experience function, reporting of incidents and co-ordination of IRS-function. 176 STUK inspects and assesses, that the procedures and the activity in power utilities meet the requirements set by STUK. The inspection of instructions and procedures are carried out in STUK’s office and the inspection of the activity of the utilities at the plant site. Incident register in STUK The incident registration form has been developed in STUK. All forms containing only the most important events are fed into the computerised database. The database contains events as follows: x Events of which special reports have been written; x Operational transients with deficiencies in the operation of the utility’s organization; x Operational transients which have caused substantial modifications in plant structures or instructions; x Events with multiple faults in components of one or of several systems. . 4.2.1.6. Regulatory inspections related to plant modifications Perhaps the most important inspections the operating organization is obliged to request are the inspections of repairs and modifications. For all the repairs of failed safety relevant components, as well as for all modifications of the safety systems the operating organization has to present their plans in advance for STUK approval. The plan includes technical documentation as needed to verify the acceptability of the functional features, structure and materials of the repaired or new equipment. Also the repair or installation method, quality control, and tests after the work are presented. When the work has been completed, the operating organization has to ask for construction and/or commissioning inspections. General requirements The guide YVL 1.8 presents in detail how STUK regulates the repairs, modifications and preventive maintenance of systems, components and structures at nuclear installations during operation. The guide further describes the obligations related to this work imposed on licensees. Further component specific requirements can be found in other YVL guides. Before implementation of any structural modification in the safety related systems, the construction plans are submitted to STUK for approval. If a modification is extensive and affects the basis of or the prerequisites for an issued operating licence, an application for the modification shall be filed with the Ministry of Trade and Industry. According to the guide YVL 1.8, the licensee shall, for purposes of repairs, modifications and preventive maintenance: x Have clearly defined administrative controls and related instructions for the design, implementation and testing of these activities; 177 x Employ competent personnel and take care of the necessary training and job orientation, adequate working instructions and appropriate working tools; x Arrange for the nuclear power plant’s systems, components and structures to be regularly serviced and the associated tests to be duly conducted; x Have an established failure report and work request system. The work order/work permit contains requirements and restrictions relating to the technical specifications, radiation protection, fire protection and occupational safety and health. The licensee shall see to it that the requirements approved by STUK as regards radiation, physical and fire protection are complied with in repairs, modifications and preventive maintenance during outages as well as during operation. If a deviation from these requirements is anticipated regarding a specific task, plans concerning the deviation in question shall be submitted to STUK for approval prior to the commencement of work. The licensees have a document updating systems which ensure the validity of documents for use. For a modification, documentation describing plant layout and documents which affect plant operation, such as the final safety analysis report, systems descriptions, process, electrical and instrument diagrams, operating instructions and the technical specifications etc. need to be updated without delay. System modifications A system pre-inspection is carried out in the form of a review of the preliminary and final safety analysis reports and the related topical reports during the construction phase. During the operation of a nuclear installation, a system pre-inspection can be conducted on the basis of separate system pre-inspection documentation before the final safety analysis report is changed. Pre-inspection documents shall be submitted to STUK for approval at least concerning the modification of systems in safety classes 1, 2 and 3 as well as the modification of systems STUK has earlier requested inspection for other reasons. Modification of systems inspected by STUK earlier are submitted to STUK at least for information. Also an individual component modification which significantly changes a system’s operation or its operating parameters is considered a system modification. The safety assessment of system modification is described in 3.3.2.3. Mechanical components and structures Control of repairs, modifications and preventive maintenance of mechanical components and structures is carried out in accordance with the relevant YVL guides. A construction plan for repairs and modifications of mechanical components and structures is submitted according to the appropriate YVL guides. For repairs and modifications, information and reports are included in the construction plan. Furthermore, the grounds for a repair or a modification are stated and justified. 178 STUK’s inspector may approve a minor repair and modification plan at the plant if the system’s operational parameters are not changed and the assignment in question can be considered conventional. In decisions relating to construction plans, STUK’s inspector may present requirements concerning work-related permits as well as control of work and inspections. A special construction plan is not required for the carrying out of preventive maintenance operations if they can be carried out in compliance with regular maintenance instructions and if approved spare parts and accessories are used. Repair and modification of mechanical components and structures may be commenced only after their construction plans have been approved and the requirements concerning the commencement and control of work, as provided in decisions, have been met. The repair, modification and preventive maintenance of mechanical components and structures are subject to inspection. The inspection is usually conducted by STUK’s inspector. On application, STUK may authorize a utility employee to carry out inspections to an extent approved by STUK. The licensee is responsible for maintaining register of repairs and modifications of specific mechanical components and structures, individual component replacements included. The licensee shall provide a summary report of any extensive preventive maintenance actions such as the maintenance of diesel generators, control rod drives and main circulation pumps in which any observations and maintenance work are accounted for. After maintenance or modification, a component or a structure is subjected to a performance test which corresponds to at least a periodic test and by which its operability is ensured. In connection with system modifications, the test run programme and results shall be submitted to STUK for approval. Permits relating to the commissioning of a mechanical component or structure are reviewed as part of the construction inspection of repairs, modifications and preventive maintenance. A prerequisite for the commissioning of a mechanical component or structure is that it has been declared to be ready for operation. 4.2.2. Examples of specific inspections — German practices 4.2.2.1. Supervision of construction and operation by authorities [17] Function of state supervision Both the construction and the operation of a nuclear facility are subject to supervision by the respective nuclear supervisory authority responsible which is to check upon compliance with licensing prerequisites, requirements and provisions of the licences and other legislative rules. For this purpose, representatives of the supervisory authority or experts consulted have the right to enter the facility at any time and have access to any necessary information from the operator. For this purpose, the operator submits information operating reports to the authority at regular intervals and notifies the authority of reportable events according to the nuclear safety officer and reporting ordinance, in particular of any excess of fixed operating parameters (limiting values) and advises each change in personnel responsible for operation management 179 and control as well as all results of in-service inspections. In the case of special events as with the case of important in-service inspections, the experts consulted in the licensing procedure are also called upon during the supervisory procedure by order of the supervisory authority. There are three different decision categories for modifications of the plant: x The modification is subject to a licence by the licensing authority; x The modification requires approval by the supervisory authority; x The modification can be performed by the operator and is to be reported to the supervisory authority. Supervision of construction The experts consulted by the licensing authority are entrusted with the inspections of the layout of nuclear facilities and pertinent systems and components as well as accompanying control during construction. The accompanying control consists of examining the documents of the manufacturer or applicant by using regulatory works, specifications and possible additional conditions imposed by the licensing authority with regard to compliance with requirements (stated as documents review and approval) as well as compliance of the components or a system with the previously reviewed documents in the course of the inprocess surveillance. This examination is denoted as source surveillance or quality control inspection. The applicant for a licence for the construction and operation of a nuclear plant has to take the necessary precautions against damage due to construction and operation of the plant. This includes the assurance of the required quality of plant components. The applicant must ensure the required quality assurance measures to be taken by the plant vendors and manufacturers. The quality assurance activities by the authority or the experts consulted do not replace the quality assurance measures of the applicant or manufacturer. Thus, the quality assurance (QA) for construction and operation of a nuclear plant consists of the following parts: x QA of the applicant. x QA of the plant vendor. x QA of the manufacturer for products, components and systems. The accompanying control is required for all safety-relevant systems and components as regards nuclear power plants e.g. for: x Reactor pressure vessel with internals including fuel elements and control rods; x All other components pressurised with primary coolant (e.g. steam generator, pressurised, reactor coolant pumps, reactor coolant lines); x All components pressurised with radioactive fluids; x Items pressurised in the secondary system; x Containment; x Main steam and feed water pipes; x Reactor protection system; x Instrumentation and control systems; 180 x x x x Refuelling and transport equipment for control rods and fuel elements; Emergency power supply systems; Lifting and load-carrying equipment; Physical protections systems. The scope of the accompanying control is graduated according to the safety-related relevance of the respective components and systems. It ranges from a 100% surveillance (for primary system components of an NPP) to that of a conventional regulatory work; in this case, however, under consideration of special nuclear particulars such as radiation safety. Qualification examination For a NPP, e.g. the qualification examination comprises the safety-related assessment for the following: x x x x x x x x x x Design layout; Strength calculation; Construction material and other materials; Manufacturing process; Manufacturing documents; Circuit design; Feasibility of in-service inspections; Maintenance and inspection possibilities; Accessibility for repairs; Plant instrumentation. The documents from the manufacturers or the applicant are examined with regard to their compliance with the requirements. These documents are denoted as documents for approval (vorprufunterlagen — vpu). The following documents are submitted to the inspector: x x x x x x x x x x x x x Drawings; Items of materials (bills of material); Calculation documents; Weld location lists; Inspection plans; Welding plans; Heat treatment plans; Lists on production weld tests; Materials testing and sampling plans; Examination procedure for non-destructive tests; Pressure test plans; Measurement procedures; Plans for in-service inspections. The scope of the documents to be submitted is stipulated in the regulatory work or the specifications examined by the expert. The inspector examines the documents for approval with regard to completeness and compliance with the rules and specifications. There are three 181 items for which criteria are to be stated exemplary, which the inspector carries out the document review and approval against. Design layout: The design is assessed with respect to conformance with requirements with regard to functioning, stress, material, examinability and manufacturing as well as ease of maintenance. Manufacturing process: This is examined whether or not the necessary prerequisites and qualifications (necessary manufacturing and testing devices, qualified technical personnel, procedure tests for forming and welding) have been met. Test procedure for non-destructive tests: The compliance with the specified requirements, the suitability of the intended test procedure and the documentation of the test results are controlled. If changes in the documents are required after they have been considered by TÜV (e.g. due to alterations of a welding procedure or due to design modifications) a new document review and approval will be necessary. Manufacturing surveillance Manufacturing surveillance means the examination of a component, a system or a structural component with regard to agreement with the documents reviewed and approved by the inspector. Examination of the manufacturing prerequisites: Prior to manufacturing, the manufacturer has to furnish proof to the inspector that he has suitable equipment (for manufacturing, testing, transport and handling) suitable technical personnel for the manufacturing process (qualified welders), supervision (welding and examination supervision) and tests (material testing and non-destructive tests) at his disposal and that independence of the tests (independent quality assurance organization, authorized workshop inspector) is ensured. Only materials and weld filler materials inspected by the expert may be used. Information on experience with the intended materials and results from tests carried out regularly for the assessment of the manufacturing quality are reviewed by the inspector. The proposed manufacturing procedures (welding, forming) are to be qualified by procedure qualification tests. In addition to the review of documents, the inspector ascertains the existence of the items described at the plant of the manufacturer. Inspection during manufacturing: During manufacturing of product forms, the following inspection activities are provided: x x x x x x x x 182 Surveillance of heat treatments; Surveillance of mechanical testing; Performance of or participation in non-destructive tests; Visual examination and measurement controls; Control of all test results, also of the manufacturer; Review of documentation compiled by the manufacturer; Final stamp on parts after successful finishing of all testing; Issuing of an inspection certificate. In the course of manufacturing surveillance of components at the plant of manufacturer following inspections and controls are carried out by the inspectors: x x x x x x x x x x x Receiving inspection of product forms or component parts; Welding material tests for welding material; Welding surveillance; Surveillance of heat treatments; Non-destructive tests; Production weld tests for welding work; Examination of production monitoring test samples; Visual examination and measurement controls; Tests on unfinished structures; Pressure tests; Final inspections. During the final inspection, the inspector has to review the following: x x x x All records with regard to completeness and validity of the audit trails for future use; The specified characterisation of components; The completeness of manufacturing documents; The safety-relevant dimensions established during document review and approval. In the event of a positive result, the inspector marks the component with a stamp of approval and issues a final inspection and pressure test certificate. Basically, the manufacturing surveillance on the construction site or in the power plant is the same as the manufacturing surveillance of components at the plant of the manufacturer. After completion or installation of the systems and components, it is demonstrated by a functional test in the presence of the inspector that the set of requirements is fulfilled. In the case of non-conformance with requirements the inspector makes a decision in the course of the accompanying control. There are three categories of non-conformance: x Category 1: Non-conformance which can be eliminated by re-examinations or reworking. examples of non-conformance are poor restart during welding, surface imperfections with minor surface cavities, negligible non-conformance of specified heat treatment parameters. No special report is required for these examples of non-conformance. x Category 2: Non-conformance which can be eliminated according to standard repair plans or plans on the basis of existing process engineering control. These plans may already have been submitted and reviewed during the documents review and approval. Examples for it are material imperfections or imperfections of weld joints with unknown cause and which are repaired before final heat treatment of component parts. Each non-conformance is recorded by the inspector in a non-conformance report. x Category 3: Non-conformance which cannot be assigned to category 1 or 2 are, e.g. systematic discontinuities, cracks, non-conformances that fall outside tolerance bands and indications detected after final heat treatment. The further procedure is submitted to the inspector for each individual case in a non-conformance report. For non-conformance in 183 category 3 the inspector decides whether or not the non-conformance can be tolerated with or without additional conditions, whether and how repair is feasible, and whether or not the plant component has to be rejected. Supervision of operation Plant inspections: The supervisory authority or experts assigned by it carry out plant inspections at irregular intervals. The deficiencies determined during such inspections have to be removed according to their safety-related relevance immediately or within set time limits. The tasks to be performed during plant inspection are: Visual inspection of the plant; Review of the operating records kept by the plant operator; Examination of adherence to the rules of the instruction manual and safety specifications; Control of the presence of the stipulated operating and supervisory personnel; Control of the measuring instruments for contamination and radiation; Measurements of the local dose rate within the plant and on the plant grounds, Contamination measurements in the equipment rooms; Functional tests of the radioactivity monitoring systems of the vent stack and the Waste water transfer station; Control of the ventilation systems (differential pressures, volumetric, flow rates, filterload status); x Control of the fire protection measures (escape and emergency routes); x Control of physical protection systems (fence monitoring system, lighting, intrusion protection). x x x x x x x x x x Preventive maintenance: In many non-nuclear facilities components and plant equipment are operated until they break down. Only then will they be repaired or replaced. This method, however, can only be applied in cases where safety-related considerations play a minor role. In nuclear facilities, this method is not applicable. Inspection and upkeep on the one hand, and repairs on the other are parts of maintenance. Inspection consists of measures for determining and assessing the actual condition; upkeep consists of measures for keeping the required condition of systems and components reliable. Repairs means the restoration to the required condition if it does not comply with the actual condition. Upkeep and inspection together are also called preventive maintenance. The expression “preventive maintenance” implies that it is a matter of acting preventively and not wafting until parts or entire components fail. In-service inspections (wiederkehrende Pruefungen — WKP) are a part of the inspections which are to be performed at regular intervals by the plant operator according to legal regulations or the requirements of the licence. It concerns, in particular, inspections of safely-relevant plant equipment. These are in general the equipment required e.g. to shut down the reactor safely at any time and keep it in the shutdown condition, remove the residual heat and prevent radioactive substances from being released into the environment. While in-service inspections are regulated to a large extent by uniform federal standards, the other inspections as well as maintenance work are mainly planned and 184 performed as the responsibility of the operator. This, however, does not mean that it is left up to the operator whether such work is done at all. For this reason, the operating licences for nuclear power plants in Germany generally include requirements that demand maintenance and inspections as well as in-service inspections. The way in which these requirements are met by the operator is described in many cases in a quality assurance programme which is to be submitted to the expert consulted for review and to the licensing or supervisory authority for approval. In many cases, the necessary in-plant procedures for maintenance and inspection are comprised in a maintenance manual. The manual contains all necessary information for the maintenance personnel of the operator regarding the maintenance and inspection work to be performed at the plant. It contains a description of the maintenance concept including maintenance details, the maintenance list and instructions. In the first part, the general part, instructions are given for the use of the manual. In addition, an outline is given, and the principles of preventive maintenance are explained. Further, this part contains general technical standards. The second part of the manual includes the maintenance list. This is a listing of all components which are subject to preventive maintenance in the narrow sense. Additionally, there are data given on maintenance measures, the maintenance intervals and times set for the carrying out the maintenance work. Components of importance to safety or security are stated specifically. The third part of the manual includes the maintenance instructions. These are written according to the specifications of the manufacturer and are also based on operating experience of organizational units of the operator responsible for the systems (mechanical engineering, electrical engineering, instrumentation and control, physics). The instructions specify the work to be done and offer guidance for record keeping. The performance of maintenance work is either the duty of a specially organized maintenance unit or it is done by the organizational units responsible for the systems mentioned above. According to the stipulations of the maintenance list the expert is consulted for the maintenance work. Reportable events: The recording and classification of reportable events is done with the help of reporting criteria and report forms. The report criteria are defined to a large extent by technical specifications of the nuclear facility and the legal situation in Germany. Therefore, the criteria cannot be applied without further ado in other countries with other technical and legal preconditions. The reporting criteria are an important instrument in the exercise of functions within the scope of supervision of nuclear facilities by the authorities. Further, they serve the purpose of globally using the experience feedback from different plants. In the reporting procedure time limits are set for reporting so that the supervisory authority is able to react quickly in case of an incident. Moreover, requirements are stated regarding the contents of the notifications the aim being to inform the supervisory authority precisely and comprehensively. The reportable events are specified by the reporting criteria and subdivided into categories. In Germany there are four reporting categories (S, E, N and V) which are graded 185 according to the time limits set for reporting. Category S has the shortest time limit and N the longest. Category S (immediate report): Events that have to be reported immediately to the supervisory authority in order that the authority, if need be, can arrange for inspections or measures to be taken within the shortest possible time. This category includes, among other things events showing safety-related deficiencies which have to be removed very soon. Reporting Period for Category S is: Immediately upon detection by telephone or telex; information or corrections of the notification, if need be, at the latest on the fifth working day after detection on a report form. Category E (urgent report): Events that have to be reported to the supervisory authority within 24 hours so that the authority, if need be, can arrange for inspections to be made or measures to be taken within a short period. This also comprises events the causes of which have to be identified in the short term and eliminated, if necessary, within a reasonable time for safety reasons. In general, this concerns events potentially, but not (directly, of safety significance. Reporting Period for Category E is: at the latest 24 hours after detection by telephone or by telex; detailed information or corrections of the notification, if need be, at the latest on the fifth working day after detection on a report form. Category N (normal report): Events which have to be reported to the supervisory authority to enable the detection of potential safety-related weak points. In general, this concerns events of little importance for the safety which exceed the usual operational events under normal plant status and operational modes. Reporting Period for Category N is: at the latest on the fifth working day after detection on a report form. 4.2.2.2. Inspection practices in Germany Arrangements for inspection and inspector’s rights of entry Due to the large hazard potential nuclear power plants are subject to strict state supervision. This supervision includes the construction and operation of the facility, the handling of radioactive materials, i.e. their procurement, storage, processing and disposal, as well as modifications of the plant and its operation, and also its decommissioning. An administrative body which grants licenses and permits to applicants must ensure, that the responsible persons of the facility adhere to these permits, their regulations and requirements. For this purpose it is necessary to have an appropriate legal basis that meets the inspector’s requirements. Regarding the implementation of the Atomic Energy Act in Germany (AtG), experts are involved on a large scale in nuclear inspection, in accordance with the AtG. The responsible authorities constantly have to clarify and check very complicated technical issues in connection with different measures of the supervisory procedure to see whether damage prevention measures or the required defence against danger are realised. Many expert organizations have the depth of specialist knowledge to offer to the authorities. Although the involved experts only act as assistants to the authorities and have no decision-making power whatsoever, they do actually play a significant role, since the authorities sometimes pass farreaching decisions depending on their experts` comments. 186 The authorities and their experts have the power to inspect what they deem necessary. Inspection includes checking for compliance with the AtG, the ordinances, the specifications and allowances, and thus for example; x Decide on appropriate measures to check for ageing; x Take measurements, such as functional data of valves, release of activity; x Seize or demand records for closer scrutiny, consulting other experts additionally, if necessary. Objectives of an inspection programme Continuous inspection is needed e.g. to have a clear insight into the changes of the plant. Take for instance, operational load conditions, such as temperature or pressure fluctuations. It has to be found out if these fluctuations happen according to specification, and if this is not the case to define periodic inspections, to follow the developments. Inspection is needed to make sure that all effects were considered at design and to be able to stop or reduce the altering process of the components and the NPP altogether in time. Thus it is necessary regularly to: x x x x x Cross-check the conceptual data with the actual data of the components; Compare the condition of the plant with the documents underlying the licence; Watch the behaviour of the plant (or components) if it is according to the specifications; Evaluate the sources and effects of ageing; Check if the safety goals are adhered to. Objectives of different types of inspection programmes An inspection manual helps inspectors to direct their work. Basic rules for inspection are defined here. The manual defines the ways and means for inspection. It contains the regular periodic inspections. Vital points concerning inspections include: x A description of those who may take part in inspections (technical bodies, consultants, experts); x What is subject to inspection; x The tasks and rules of the inspectors; x The rights for entry and inspection; x The ways and means for inspection and enforcement, including check lists, reference lists, directives for realization and procedures. The inspection programmes for components and systems are important tools. Inspections and regular tests can validate not only the correct function of a component, but of the system or even connected systems. Also service systems are important to inspect because their operation is necessary for safety systems. There are five types of inspection programmes: periodic functional tests, maintenance and inspection, outage, shift inspections, and monitoring. 187 Usually the authorities view the maintenance programme as inferior to the periodic test programme. But to be convinced that after the functional tests the component really may be considered as operable for a defined period of time, it is also necessary to do regular maintenance and inspection intensively. To get reasonable and optimal inspection programmes we have to: x Consider operational experiences of individual and other plants, mostly those of the same kind; x Check on regulations for NPPs and the conventional sector for relevant inspection periods; x Set priorities with the goal to define those components that are most vital for the safe operation of the plant; x Consider the results of probabilistic safety analysis to check and optimise inspection periods and change inspection methods to eliminate weak spots; x Include into the lists and instructions the participation of experts; x Stage the tests so that all vital parts are tested so that it becomes evident that the components and complete trains of emergency systems work in the desired way (if possible system functional tests); x Consider the proposed periods and methods described by rules and standards; x Discuss inspection methods; x Set procedures that two complementary safety-related systems are never inspected at the same time; x Have instructions for ultrasonic or x-ray examination; x Take the condition of plant into consideration in inspection planning; x Optimise test frequency; x Check the programme in regular intervals to collect experiences. An expert should review also: x The inspection manuals (with their general statements); x Inspection instructions; x Evaluation of inspection results. The periodic test programme is part of the safety specifications of the plant. Modification of these data are allowed only if permitted by the authorities. Having the component-inspection-programmes as a basis and including other activities as well, such as for plant modifications, the operator has to propose the outage programme to the authorities and the consultants. These maybe add additional activities, if necessary and approve the programme. The operator must prove or confirm the following in written form, to get an official approval for restart: x Safety of the core (confirmed by neutron flux, heat transfer and accident radiation release calculations for the new core); x Inspections of the fuel elements must be positive (a fixed procedure, maybe enlarged depending on findings, fuel rod defects and so on); x No deviation of allowed conditions of the plant; 188 x x x x No knowledge of conditions endangering the safe power operation; Reactor safety systems checked with participation of the consulting experts; Positive termination of special inspections; Documents revised according to the plant status. Most of these points are subject to confirmation by the consultants many of whom will have worked on such plant during the outage? Inspections and tests in the first place give us the necessary certainty that all is well and that there is no danger in starting the reactor up again. With this certainty backed by experts’ opinions, the authorities agree to a plant restart. The programmes are the foundation for the inspections and tests and the results are described in the protocols. If there are findings, the results are discussed during weekly outage conferences with participation of operator, experts and authorities, and measures as well as resulting consequences for restart are agreed upon. Different types of inspection Regular, basic inspection, depending on traditional tools can be divided into the on-site part (direct inspections), and the office-part (indirect inspection, desk-checks). The supervisory authorities should be on site with a manpower of about 1 man-day per week per plant. The on site inspection has several important functions: to show the presence of the authorities; to maintain communication, learn about the licensee’s plans and discuss formal matters such as the classification of plant modifications. Regularly checks should include for instance: x Implementation of the radiation protection ordinance: labelling of radioactive substances, marking of restricted areas, activity- and dose measurements and cleanliness; x Access control; x Presence of operational and guard personnel; x Fire prevention, rescue and escape routes; x Correct implementation of rules for disconnection of components or systems, document handling and upgrading, clearance of work; x Progress of approved modifications of the NPP; x Systems’ condition, on the spot as far as possible during operation; x Systems’ inspections being carried out by use of surveillance testing and maintenance programmes; x Implementation of quality assurance; x Professionalism of personnel. Regular, basic inspection includes also a visit to the control room, a close look into the manuals and the discussion with the shift on the condition of the plant, the clearances for work currently in progress, anomalous events and so on. Besides on site inspection the authorities get their information through operator’s regular reports. In the licences for operation there is a requirement obliging the operator to provide such reports at regular intervals. 189 Daily reports can be handed over by telefax. They should contain basic information about the plant, such as: x x x x x Notifiable events (according to the notification ordinance); Excess of radioactivity limits of releases to air and water (as defined in the licence); Peculiarities concerning the NPP and its operation (such as stretch out, variable power); Concentrations of radioactivity in the cooling systems; Leakage inside steam generator. Remote supervision system (KFÜ): The continuous operation of the NPP and most of all the release of radioactive matter from the discharge stack or water cannot be supervised continuously (at any time it is desired) in the above described ways by visits on the plant, daily report sheets and semi-annual or annual reports. Therefore an automated system had to be developed that can do this job, the KFÜ With this system operation variables as well as releases into air and water and immersions can be checked and recorded. Not only the NPPs on state territory can be supervised thus but also those of foreign nations, using monitors and sampling stations situated on our side of the national border. The KFÜ is an important instrument to check if vital parameters inside and outside the NPP are within allowed ranges and renders also important post-accident data, i.e. it can help to provide a forecast of the distribution of radioactivity in the environment. But, of course, it can do a lot more. So, for instance, it automatically sets off an alarm, if given limits of a combination of different interlocked parameters is exceeded. This alarm reaches the appropriate official by a use of a paging system and they have to verify and relay the message to the officials responsible for the plant. Intensified inspections: Besides the regular basic inspection activities it is advisable to establish intensified inspections, with the objective to inspect certain topics or procedures in depth. These activities can be induced at individual or other NPPs or can be the result of a safety analysis review or be a part of it. The definition of such subjects are made on agreement by authorities, operator and consultants. In addition to the authorities` intensified on site inspections the operator usually has to hand over a number of appropriate documents for examination and evaluation. The results of the intensified inspections usually are documented internally and occasionally results are also given to all participants, even to the public. Examples of such intensified inspection are: x x x x x x x x x 190 Investigation of an event; Clearance and transport of radioactive material; Fire prevention and protection; Safety of cranes and transport; Safety-relevant gate valves (improvement of reliability); Industrial safety; Austenitic tubes in the primary circuit (material, welds, water conditions, corrosion); Safe use of gases; Integrity aspects at components with high energy content in the turbine hall; x Embrittlement of the reactor pressure vessel. Outage inspection: The annual outage is characterized by the following three groups of activities: x Exchange of fuel assemblies; x Recurrent inspections and extraordinary inspections which can only be performed when the NPP is shut down; x Modifications, backfitting and maintenance. Because of the sheer number of these activities the number of supervisory tasks increase during this state of operation. Inspection on the site is intensified correspondingly, on the side of the authorities and most of all on the side of the consultants. Additionally, during a plant outage a number of activities are performed simultaneously, by a large number of outside personnel. Besides checking the work itself it is necessary to ensure compliance with safety related minimum requirements (minimum number of safety systems) for outage operation and the safety of the personnel. This kind of inspection demands a close coordination of the parties concerned. The different departments of operator, consultant and authorities must stay in close consultation to treat non-conformities appropriately, avoid undue delay, avoid disregard of requirements for quality assurance as well as work safety. Unannounced inspections: Usually inspections are planned and their main programmes known to the operator. Getting ahead with some inspection subject, it is often of advantage to have the responsible operator’s specialists at hand. That might not be the case for an unannounced inspection. Unannounced inspection is to be considered, if there is: x Distrust (fear that evidence of some kind be removed); x Animosities (absence of mutual understanding and respect between the regulatory body and the operating organization); x A low safety culture; x The need to establish proof of some kind (irregularities may be found easier if the operator is unwarned and unprepared). However, even if a positive atmosphere between authorities and operator exists, and even if there exists a good safety culture, unannounced inspections should happen at NPPs, from time to time, as most ordinary industrial or trade supervisions happen unannounced, where work safety requirements and requirements of the licence are to be checked. Reporting of results Reporting inside the NPP: During safety relevant periodic tests and maintenance, protocols are created. The protocols shall allow the evaluation of the inspection. For this there is a form in the inspection manual that has to be filled in appropriately. 191 In principle there are four results possible at the inspections: x Within specification (design data); x Within specification and corrective actions during inspection; x Not within specification, deviation tolerated, an additional inspection after some time may be necessary, additional measures may be necessary; x Not within specification, additional inspection necessary (after corrective measure). There is a part in the form for explanations, e.g. x x x x Deviations from specifications; Findings, including those of non-destructive techniques; Implications for the systems; Implications for the procedures (instructions, lists, programmes). The evaluation of the safety relevance has to be done without delay. The results of the inspections after this first evaluation are then evaluated in detail by the departments of the operating organization. They must start the appropriate measures if there have been any findings. The applicable procedure for planning and carrying out the repair is described in the operation manual: in the maintenance rule. All necessary steps till repair or replacement must be documented in a comprehensible way. Also, the findings must be checked concerning the passing on of information: x To the other NPPs to check for applicability; x To the manufacturer for feedback, to define preventive measures for the same or other installations for the future; and/or x To the authorities concerning safety relevance according to regulations. For the identification of root causes experts may have to be consulted, those consulted by the authorities may have to be informed. Possible generic characters of the causes have to be considered. The need for modifications of inspection programmes or routines (instructions) have to be evaluated. A very important way of evaluating findings and the appropriate measures are direct personal contacts and regular meetings such as the daily morning meetings. At these meetings all heads of departments take part, and amongst others the work request/work-orders are discussed and signed by the management. Periodic reports: The operator has to submit annually the report on periodic tests. The report contains the operator’s view concerning: x x x x 192 Basis for inspections (inspection programme); Evaluation on completeness, timeliness and correctness; Irregularities, findings, measures; Statistics of findings, concerning measures and departments concerned, common cause evaluation. opinion concerning the safety-relevance of the findings, such as indications for ageing of components. Outage report on periodic inspections: Towards the end of the refuelling outage the operator presents to the authorities and consultants at a special meeting those inspections that show more than just a tick at “compliance: yes”, in the protocol form. All these findings can be found later also in the annual report on periodic inspections. But at this point it’s necessary to have the latest information, because a decision has to be made if the plant status is acceptable for restart. Notification on non-compliance: If safety relevant events or conditions take place or are found during inspections, they must be passed on to the authorities according to Regulations for the Notification of Incidents (AtSMV). The licence for operation and the appropriate rule for notification, defines the: x The allowed time lag; x The means (telephones, telefax, forms) for notification; x That in certain defined cases no corrective action or restart without consultation of the experts is allowed. It may be necessary for the notification forms to be supplemented by additional reports, clarifying the causes and resulting measures. Results of monitoring: Certain inspection measures, like monitoring, are imposed upon the operator by requirements related to a licence or accompanying control. The operator is then required to state the results of these measures, for instance the results of vibration and temperature measurements concerning ageing, in written reports to which experts can state their opinions. Other reports: Furthermore, reports reach the authorities about the outage results (summary) and on subjects concerning the periodic safety review, events in other plants, and on subjects of intensified inspection. Other means for communicating findings to the authorities are: A daily report on plant performance is sent to the authorities by telefax, including results for emission of radioactive effluents. This report is due at the authorities in the morning of the following day. The daily report contains events also, which will be later notified according to the notification ordinance to the authorities as well as those events which have some importance but have no effect on plant performance. In Germany an event as well as a finding at inspections, must be evaluated according to the AtSMV, as mentioned before. Only if the event has to be passed on to the authorities according to this regulation, it also has to be evaluated according to INES (international nuclear event scale) If there is no necessity for information given according to AtSMV, then it is equivalent to “out of scale” according to INES. For instance, if the finding is severe enough to lead to a failure in safety functions, if a common mode failure was detected or if there are deficiencies in the safety culture, a higher level than 0 is to be expected. It must be stated however, that the INES is primarily a communication tool and not a means for event analysis and feedback. 193 One additional means of communicating findings to the authorities is the telephone. To ensure this direct communication it’s best to have good relationships with the operator, a climate of mutual trust and not mutual suspicion. Reports on expert level: The consulting experts (TÜV) have an information system (TÜVIS) by which important events are communicated. This instrument is important for information processing to the authorities, most of all in cases that concern conventional plants, as the TÜV is historically a body to check the integrity of pressure vessels and the operability of the pressure relief systems and carries out respective tests there, too. Processing of information at the authorities: Depending on the seriousness of an event a short note must be prepared for the minister, containing details of the state of affairs, safety relevance, and resulting measures. Comparisons to the earlier events are made and the categorisation is discussed. Information that could be important to the public is passed to the federal ministry quickly, by telefax or telephone. The notification sheets of the event reach also the consulting experts who have to give their opinion to the authorities as soon as possible within two weeks. The forms are passed on to the federal ministry (BMU), the federal office for radiation protection (BfS) and the GRS, an expert organization evaluating the events and preparing quarterly and annual reports on events. While the operators give information to the public, if INES level 1 or higher is concerned, or the event notification classification (AtSMV) is S or E (the two higher levels, the lower one being N), the ministries pass the news of such events immediately on to the parliament bodies and the federal ministry for environment and reactor safety. Enforcement In cases where the inspection results in findings that, after thorough investigation need action, the authorities can order remedies. This is also founded on the Atomic Energy Act: To eliminate unlawful or dangerous plant conditions, the supervisory authorities can order, that a condition be abolished. By this law they can order in particular, that: x Protective measures be taken and specification of these measures; x Radioactive materials be stored or put in safe custody in a place specified by the authority; x Operation of the plant be temporarily stopped for repair. The regulatory authorities have a wide scope for discretion in the practical implementation of state supervision. There are legal restrictions to the scope of discretionary authority. The legal action must be appropriate and not arbitrary. The supervisory body has a wide range of possible measures, the gravest of which is the temporary or even the final shut down of the plant. Before the supervisory authority orders such a stringent measure they have to check if the determined illegal or dangerous state of the plant can be relieved sufficiently with less severe measures. Furthermore the urgency of the measure must be determined and the probability for some initiating incident that could result in a dangerous condition. 194 4.2.2.3. Examples of detailed inspections General This lecture will deal with the inspection types performed by the regulatory body. There are three types of inspection: routine inspection, inspection of modification and a nonroutine inspection. All the activities of the regulatory body will be demonstrated by specific examples. The activities of the utility operator will be considered as far as it is necessary to understand performance of inspection by the regulatory body. The examples given here are: the periodic non-destructive examination of primary-system components, the modification of the volumetric control system, a leakage of a steam generator tube, respectively. As the examples given here are taken from the work of the German regulatory body, the nuclear standards taken into consideration are several standards of the KTA. The preparation for the inspection is in case of every inspection described here the same. Additional to a technical education and experiences in these specific inspections one has to make oneself familiar with the components to be inspected, with special problems that have to be taken into account and with the inspection method itself. The next step is to decide what can be done by oneself, what has to be done in team work and when the help of an external expert is needed. In the examples given here the inspections are divided in two parts. The first and generally the main part of the inspection are the documents for approval, specifications and other papers submitted by the utility operator. The second part is the inspection in the power plant. In the most cases, the inspection is performed by the utility operator and supervised by the regulatory body. Every inspection terminates with an inspection report. This report contains a brief description of the problem and the inspection method, the result of the inspection, and the effect on the state of safety. Example of routine inspection: Periodic non-destructive examination of primary system components The programme of the periodic non-destructive examination of primary-system components is determined by nuclear standard KTA 3201.4 “Components of the primarysystem of light water reactors, Part 4: In-service inspection and operational monitoring”. The utility operator provides an approved list of inspection by observance of the nuclear standard. For every annual in-service inspection the utility operator presents a test sequence plan containing those non-destructive examinations that will be performed in the current year. In the course of four years all items of the list of inspection have to be examined. This is controlled by the regulatory body as well as the completeness in the performance of all the planned inspections. All non-destructive methods used must be qualified either by the regulatory body or by an authorized expert. The inspections have to be performed according to approved examination instructions and approved specifications. 195 The minimum qualification needed is a basic knowledge in non-destructive testing. The member of the regulatory body must be familiar with the possibilities and limits of the different methods of non-destructive testing. If no external expert is consulted the member of the regulatory body additionally needs a well-grounded knowledge in one or more methods of non-destructive testing. The special kind of knowledge needed depends on the inspection to be performed. Usually the special education needed is Level 2 according to the European Standard EN 473. In case of mechanised non-destructive examinations the staff of the regulatory body have taken part in special training concerning the procedure and the evaluation of the used mechanised nondestructive examination. If none of the regulatory body has this qualifications the help of an expert is needed. If the inspection is performed by the utility operator and supervised by the regulatory body the results are evaluated by both the utility operator and the regulatory body. The results are reported by the utility operator and witnessed by the regulatory body. If the regulatory body performs his own inspection, he makes his own evaluation and test-report. The examination is finished as soon as the regulatory body agrees that the examination performed matches the test sequence plan and the test specifications. If there are any adverse indications the utility operator has to ensure that the flaw indicated results in no lack of safety. This is inspected and evaluated by the regulatory body. The approval to put the power plant back in service is given if the whole in-service inspection is finished with a positive result. Otherwise the regulatory body can enforce additional repair works by refusing the approval to put the power plant in service. Example of modification: Modification of the volumetric control system For this example the utility operator presented an application for modification titled: “Optimized supports for the volumetric control system”. Optimization of the piping support meant exchanging the piping supports of the volumetric control system and, where necessary, changing the laying of the pipe system to minimise loads on both piping supports and pipes. Changing the laying of the pipe system included the replacement of parts of the pipes. Due to the conditions given by the building, it was only possible to construct the piping supports to stand loads of a jet caused by a crack smaller than 0.1 times the cross-section of the pipe. This means that a rupture of the pipes of the volumetric control system had to be precluded. The first step for the inspection is the review of the documents for approval of the modified system. This means that the regulatory body inspected the construction, the calculations, the quality of the material and the quality of fabrication. If necessary the regulatory body corrected the documents and finally approved them. The fabrication of all components had to be performed by observance of the approved documents. The in-process inspections by the regulatory body were documented on the certificate. 196 The rupture preclusion is based on the basic-safety concept. All new components were produced by with regard to all regulations of this concept. It had to be proved that the manufacturing of the remaining components met the principle of the basic safety concept. By use of the certificates the quality of materials and welds were evaluated with regard to the admissibility and the completeness of all tests. All documents were reviewed by the regulatory body. The calculations presented concerning stress analysis, fatigue analysis and fracture mechanics were improved by further calculations performed by the regulatory body. The monitoring programme and the in-service inspection programme were reviewed as well. With regard to the quality of the components, stress analysis, fatigue analysis, fracture mechanics, monitoring programme and in-service inspection programme the regulatory body decided whether the requirements for rupture preclusion were met. If necessary the regulatory body extended the monitoring programme or the in-service inspection programme. In the worst case components that didn’t abide by the principle of the basic-safety concept had to be exchanged or the concept of the modification had to be revised. The modification can only be performed if the regulatory body agrees with whole concept. The agreement bases on the report of the regulatory body including the result of the inspection of the documents. The modifications are performed by the utility operator with regard to the approved documents. If required, the modifications will be inspected by the regulatory body. These inprocess inspections are documented in the certificate. After the modification is finished an as-built evaluation has to be performed by the utility operator and the regulatory body. After the as-built evaluation the regulatory body does his final report. Only if this report has a positive result, he will give the permission to put the modified system in service. Example of non-routine inspection: Leakage of a steam generator tube The example given here describes a leakage of a steam generator tube. About three months passed from the first detecting of the leak to the repair work. The leakage was detected by monitoring the contamination in a secondary loop. The contamination rose from the ground level 2˜103 Bq/m3 to 6˜103 Bq/m3. When the contamination had risen to 1.4˜103 Bq/m3 the clue of a leakage in a steam generator tube could be assured and was reported to the regulatory body. The event was classified as category N (events with little safety significance which have to be reported to the regulatory body). The leakage flow was calculated to a value between 50 and 100 g/h. The limit to take the power plant out of service was set at 2 kg/h. In their first inspection report the regulatory body consented to the classification of the event. The leak size was calculated by the amount of the leakage flow. Due to this leak size the regulatory body calculated the safety clearance to critical flaws by the use of fracture mechanics. These calculations showed that the leak area was 10-6 times as big as the crosssectional area of a steam generator tube and that cracks with half the size of a critical crack would have flow rates of more than 300 kg/h. The regulatory body found no reason to take the power plant out of service immediately. The inspection report concluded with the agreement to keep the power plant running during the regulation of the repair work until the end of preparations for the repair work. 197 The utility operator presented a detailed report. It said that the repair work was to be performed during the next in-service inspection by closing the leaky tube with plugs at each end of the tube. The regulatory body compiled a further statement. They assessed in detail the radiological consequences, the results of previous non-destructive testing, possible reasons for the leakage, the fracture mechanic results, the criteria to take the power plant out of service and the planned proceedings such as the location of the damaged tube and the repair work. The regulatory body agreed with the utility operator’s programme but they demanded documents for approval for both the procedure to locate the damaged tube and the repair work. All those documents for approval were reviewed by the regulatory body. When the leak rate rose to nearly 2 kg/h the utility operator applied for a shift of the limit to take the power plant out of service. They suggested 20 kg/h. After performing some fracture mechanic and hydrodynamic calculations the regulatory body agreed to fix the limit to take the power plant out of service to a leak rate d 8 kg/h. When the leak rate reached a value of 2.4 kg/h the utility operator decided to take the power plant out of service in order to repair the damaged tube. The location of the damaged tube and the repair work were performed in the presence of the regulatory body. The first step to locate the leakage was a water level test. Video cameras were installed in both primary vaporisation drums of the steam generator. The secondary side of the steam generator was filled with water and pressurised. It was possible to locate the leak in the cold leg of an unplugged tube. By lowering the water level step by step the leakage was located directly above the tube sheet. No further test was performed to locate the leakage. This difference to the approved documents was reconciled with the regulatory body. The next step was to fix a test schedule for the eddy current test of the tubes. In agreement with the regulatory body the utility operator planned to inspect about 37 tubes in the surrounding of the defect tube and about 33 tubes in areas around tubes that were known from former in-service inspection to show indications due to reduced wall thickness. The defective tube was inspected first. The eddy current test indicated two flaws each about 6 mm long and 3 mm wide. Two other tubes in the immediate neighbourhood of the defect tube showed indications due to a reduced wall thickness of more than 50%. By opening an inspection hole on the secondary side of the steam generator, the area surrounding the defective tube was inspected using a videoscope. A lost part was found directly between the defect tube and the two tubes with indications. This particle was identified as a semicircular shaped strip of sheet with a diameter of about 30 mm and a thickness of about 3 mm. The particle was located at an area with material erosion due to contact between the leaking tube and the particle. After the reason for the damage had been found, it was decided to reduce the inspection programme to the area surrounding the damaged tubes. This was done in agreement with the regulatory body. No further indications were detected. It was decided to plug the damaged tube and the tubes with a reduced wall thickness >50%. The repair work was performed in the presence of the regulatory body. 198 From the location of the damaged tube to the plugging of the three tubes the whole repair work took less than 48 hours. This was possible because the approved documents for any eventuality had been prepared and because the regulatory body was present during the whole procedure. All steps from the schedule for repair which had proved to be unnecessary could only be cancelled in agreement with the regulatory body. In his final report the regulatory body described the whole procedure and explained decisions. 4.2.3. Inspection practices in the United Kingdom 4.2.3.1. Background Under UK law all employers must ensure that their workers and the public are kept safe. Nuclear plant can only be put on a site if the Health and Safety Executive (HSE) has granted the operator a nuclear site licence. HSE’s Nuclear Safety Directorate (NSD) issues these licences and inspects licensed plant through its operational arm, the Nuclear Installations Inspectorate (NSD). This note is mainly about NSD’s work. Licences are only issued to companies or public bodies that are actually in charge of day-to-day nuclear operations in a clearly defined area of a site. Nuclear licences do not have any time limit, although they tend to be reissued every five to ten years because of organizational or plant changes. Each licensed site has an identified site inspector based at NSD headquarters. Site inspectors spend 35% of their time carrying out their inspections on site. Unlike countries that set very detailed technical laws, UK health and safety law sets goals and calls for licensees to make arrangements for meeting their legal duties. This calls for the regulator to be able to judge those arrangements and requires a relatively skilled approach to inspections. Various types are used, ranging from routine inspections by a nominated site inspector to large, multi-disciplinary team inspections carried out by as many as twelve inspectors that focus on a specific theme. UK nuclear regulation aims to ensure that licensees are meeting their statutory obligations, have sufficient resources to meet their responsibilities for health and safety, and that their proposals and actions keep risks as low as reasonably practicable. This note outlines the approach adopted in the UK for enforcing health and safety law through the inspections carried out where the main aim of the law is not to be prescriptive. It outlines some of the several types of inspection used to meet different objectives throughout the many phases of plant life. NSD’s inspection programmes are discussed. Although most of the examples used arise from nuclear power plant inspection, the licences issued to and the techniques used by the UK regulators apply equally to fuel manufacturing and reprocessing plant. Unlike most UK industries, prospective nuclear licensees must show that their plant will be safe before a licence will be issued. They must also show that they can manage the site and deal with any liabilities remaining when the site is finally shut down. Without a nuclear site licence they cannot operate. This means that new applicants need to hold early talks with NSD, to ensure that effort is not wasted on both sides. 199 As elsewhere, UK safety law holds licensees responsible for safety. The NSD sets safety goals and the aim is for licensees to set out how they will meet them. NSD will see that these are adequate and are met by the licensees, and will take enforcement action to ensure this where necessary. This policy ensures that the licensees accept that responsibility, whilst allowing them to find their own ways of complying with the law. To retain independence, a balance has to be struck in how far NSD should be involved in the design and assessment process. This calls for careful choice of the key safety issues and what to examine. Licensees must carry out their own detailed assessment and audit of their designs from the safety point of view. NSD will satisfy itself that licensees have the organization for this and that they are carrying out their functions effectively. They do this through both planned and reactive inspections. NSD inspectors have the power to ban an unsafe activity or call for improvements, but can only have fines imposed through the legal courts. 4.2.3.2. Types of inspection The UK system allows for several classes of inspection that follow the life-cycle of a plant from its design, through construction to licensing and operation and in-service modification, to eventual decommissioning and delicensing. Design and construction An NSD inspector is allocated to the site from the start of construction through to decommissioning and eventual delicensing. This means that frequent inspections and discussions take place, key tests are witnessed, and the test reports are checked. Specialist inspectors help to assess safety cases and often visit the site and key manufacturers’ works. They use their expertise to monitor the construction of important items of plant and witness tests and quality assurance procedures. It has been found that close monitoring by NSD while plant is being built will ensure that the licensee achieves a design that meets the safety requirements. Routine site inspection Planned inspection: To check for compliance with the licence conditions and to gain an overall view of site activities, nominated site inspectors spend around 35% of their time on their site. They may spend longer if a particular aspect needs attention. Their inspection plan aims for most of their work to be proactive rather than reactive. It is based upon ensuring that the licence and other significant health and safety legislation are being complied with. Periodic shutdown: Licence conditions require that licensees make arrangements for carrying out plant maintenance, and these arrangements call for operations to be shut down periodically so that major overhaul and inspection can be carried out of significant safety-related items. In the case of plant such as reactors, such shutdowns must be carried out every two or three years, and NSD’s formal consent is needed before they are allowed to restart the plant. Much work is carried out during this period, and NSD meets with licensees before the work to agree the proposals and, on completion, to discuss their findings before giving its 200 consent. Before this is given, several specialist assessment inspectors look at the licensee’s results and visit site to see for themselves the records of the inspections and some of the work. Before allowing plant to start up after a shutdown, the licensee must report to and satisfy NSD about: x Outage maintenance and inspection results; x Plant performance since the last periodic shutdown; and x The adequacy of the plant to perform safely until the next periodic shutdown. Project inspection: Frequently throughout the life of a plant licensees call for repairs or modifications to be made in the interests of safety or to enhance production, many of which can affect nuclear safety if they are not carried out properly. The more significant ones require NSD’s agreement before major works can be carried out and before the plant can be operated with the repair or modification. Such activities can call for specialist inspectors to assess the proposals and any test and quality assurance records. They may also visit site or manufacturers’ factories to carry out their own inspections to satisfy themselves about the safety of the work. Reactive inspection Preliminary investigation: Although site inspectors are not resident on the site, licensees are required to inform NSD about a wide range of accidents and lesser events that occur on their sites. Many of these need to be followed up by the site inspector, either on a special visit, if serious enough, or during the next routine visit. NSD inspectors have the power to make people report to them about events unless those people are responsible for an offence. If so, an investigation must follow. Regulatory investigation: If a serious event has caused NSD to believe that regulatory action should investigate whether the law has been broken and to collect samples, statements from witnesses, photographs and other documentary evidence that can be presented in a court of law. Such investigations usually involve two inspectors, one of whom may or may not be the site inspector. Emergency arrangements: Licence conditions call for arrangements to be made to deal with any accident that could lead to radioactivity being released on or off the site. An emergency plan must be prepared and submitted to NSD for approval for each site. This outlines the organization and procedures to be used on site and with local emergency services to protect the general public. It sets out provisions for on-site and off-site radiation monitoring, and for the chain of communication. Level 1 emergency exercises: Licensees are required to demonstrate their emergency plan to NSD’s satisfaction. The sites each prepare an emergency exercise every year and many of these, work with the local emergency services to show they can manage a major accident if one happened. A team of up to five or six NSD inspectors observes these exercises and comments on any shortfall: NSD can call for all or part of an exercise to be repeated. Level 2 and 3 emergency exercises: To show that national emergency arrangements will also work, a smaller number of Level 2 and 3 exercises are also required. Several Level 2 exercises 201 are held each year; these involve simulations of major interaction between licensees and government agencies for an event that extends to the local community. Only one Level 3 exercise is carried out each year for the whole UK, and for this the full national arrangement is tested. Senior NSD staff have a significant role in both Level 2 and Level 3 exercises. Around 15 to 20 NSD staff are used as team members and up to three or four act as observers. The results of these exercises are used to improve responses by all organizations involved in them. Enhanced team inspections Many safety audits or team inspections are also carried out each year on particular plants or on a safety topic. For these, a multi-disciplinary group of inspectors visits one or more sites and reports the findings to the licensee, so that improvements can be made, where appropriate. Large team inspections: Over the years, NSD has found it helpful to adopt a flexible approach to inspection, occasionally using teams of ten or more inspectors and sometimes including in those teams inspectors from other regulatory functions, such as environment, conventional health and safety, and fire and explosives. The first main inspections of this type concentrated on the management of safety systems including the work permit system. Other important inspections have included those that NSD used to satisfy itself that during the UK deregulation of the electricity supply industry, companies entering privatisation could adequately met nuclear regulatory requirements. This inspection extended to headquarters’ documentation and management systems, site implementation plans and even detailed examination of proposed site boundaries and joint working arrangements where sites that had once contained two magnox reactors and two advance gas-cooled reactors, operated by a state-owned company separated into two privately-owned companies. The whole inspection and audit process involved every NPP site inspector plus a large team of other inspectors over several months (and involved the Chief Inspector answer questions before a select committee of the UK parliament) preparing for the changeover. Another high profile team inspection involved the investigation of management of safety problems at the Dounreay Nuclear Establishment following an event when power supplies to the site were disrupted by a contractor working with earth moving equipment on the site. The inspection team of twelve inspectors lasted three weeks and included one of NSDs deputy chief inspectors. Again, the chief inspector was asked questions by a select committee of the parliament. The subsequent report, published on the Internet, contained 145 recommendations and severely criticised the amount of work delegated to contractors on the site. Targeted team inspections: Several team inspections are carried out each year that involve teams of two to six inspectors visiting a site or other establishment run by a licensee for two to five days to look into a particular safety issue, such as: x Control and supervision of work; x Radioactive waste management; 202 x x x x x x x x x x x x Maintenance arrangements; Company reorganization; New licence application; Headquarters functions; Safety case production; Management of safety; Control of contractors; Licence compliance; Plant modifications; Quality assurance; Event reporting; or Staff changes. The choice of what to inspect may be decided by NSD policy or by the site inspector’s need to look more closely at a potential weakness on the site or at a licensee’s headquarters. A particular example of an extended team inspection occurred when Sizewell B was set to work. Six NSD inspectors, plus two American inspectors from NRC, followed commissioning over several weeks. 4.2.3.3. Inspection programme General It is neither possible nor necessary for each site inspector to monitor everything on every inspection. The best that can be achieved is to sample what goes on. It is too easy only to follow up events, rather than to be proactive. It is also necessary to ensure that plants with more problems get more attention than those with fewer problems. Use of a planned inspection programme that fits the plant helps to avoid only following up site events, which may then lead to a biased view of the safety performance of the plant. In the UK, site inspectors are generally nominated for just one site, but they support other sites as required, so some of their 35% of time on site may be spent on a site that is not their own. As a health and safety regulator, they focus their inspections on licensees’ legal duties, but may use their results to persuade operators to keep improving safety standards. Site inspection programme The site inspection programme is developed with a view to the significance of the risks posed by the plant or particular operations within it. These risks can vary over time: new plant being put into service may bring higher risk, so may need to be monitored closely until it is shown to be working satisfactorily. Alternatively, plant may break down or become less safe, so may need increased attention from the operator and the regulator. To draw up the programme, it is helpful to identify the main risks on the plant and rank them in order. These risks may not all be technical: some may relate to public opinion. Inspectors must target their inspection on real issues and try to work on what they know to be a real risk. They use their programme as a plan for guidance, rather than a checklist, and can change it if other work needs to take priority. 203 The aim is to target plans on higher risk operations or plants and to have a set of issues to consider for each. Some of the issues may relate to compliance with the law, others to resources or even management attitude. The aim is for the plan to cover one to three years, yet to give confidence that the operator is behaving safely at all times. An example of the sort of operations included for a nuclear power plant are: x x x x x x Essential power supplies; Pressure circuit integrity; Reactor control systems; Post-shutdown cooling; Fuel route systems; and Waste management. The issues to assess for these operations include: x x x x x x x x x x x x x x x x Quality assurance and records; Fault identification and control; Accident and event statistics; Management and control of: Maintenance and testing; Radioactive waste; Modifications; Safety cases; Operations; Worker radiation doses; Operating instructions; Licence compliance; Radiation protection; Staff competence; Staff training; and Work planning. Other topics considered separately from the operations are: x x x x x x x Management of contractors; Emergency preparedness; Other legal requirements; Non-nuclear safety; Site management; Work planning; and Safety culture. The plan allows for about 20% of a site inspector’s time to be spent on reactive work, following up events and unplanned problems. 204 Team inspection programme Emergency exercise programme: Each site must carry out a Level 1 exercise every year and a Level 2 or 3 exercise typically every three to four years. The dates for these exercises are planned centrally by NSD and agreed with the licensees on a rolling programme. Targeted inspection programme: Each year, the performance of each site is reviewed and ranked against the others, where possible. Site inspectors’ and line managers’ reports help with this. NSD’s senior managers review these rankings, together with any requests from site inspectors for specific assistance. In addition, they consider the aims of the organization: recently, there have been several reorganizations of the industry that have led to greater public interest. As a result, additional team inspections have been run to assure NSD that the organizations can do what they say they will, and that they manage the changes they are making without reducing safety standards. Overall, the aim has been to provide about ten or twelve such inspections each year. With a major change, such as relicensing a reorganized operator, the programme of inspections may run over two to three years, until NSD is satisfied that the new organization is working well. 4.2.3.4. Reporting results To obtain information for planning programmes, a report is written for each inspection. Summaries of routine inspections remain working documents, confidential to NSD, but the main aim of a team inspection is to produce a report that will be used to gain improvement from the licensee: they receive a copy. A quarterly summary report is produced for the public who live near the site, and NSD publishes a nuclear safety newsletter that summarises NSD’s activities as a whole. This may include the findings from some of the more significant team inspections. If there is a major public interest or concern, a full public report may be published. Occasionally ministers call for a report. 4.2.3.5. Inspection manual and objectives Health and Safety law in the UK sets goals for industry to meet, and the Health and Safety Executive’s (HSE) Nuclear Safety Directorate builds this into the licences it issues through its Nuclear Installations Inspectorate (NSD). Licensees must meet a basic level of safety and improve on this where possible. Inspectors use two criteria to judge what to inspect: system risk and licence compliance. Risk is used to decide what proportion of time should be devoted to the inspection, and licence compliance is used to determine whether licensees are meeting their legal duties. Over the years NSD inspectors have set out the standards that they apply for their work and told licensees about these. In fact, there has also been a need for NSD to inform the public about its work. Its standards are set out for the public in two booklets published by HSE, “The tolerability of risk from nuclear power stations” and “Safety assessment Principles for nuclear 205 installations (SAPs)”. In addition, the nuclear safety advisory committee gives advice on appropriate standards for the industry. For NSD staff, guidance has been given in a manual that outlines the purpose of each condition of the nuclear site licence and how to check that a licensee is complying with them. This guidance is available to licensees, except for a small amount dealing with enforcement action. NSD staff are trained in the use of this guidance before they become site inspectors. In addition to NSD’s inspection criteria, licence conditions call for operators to carry out their own inspections, and it is part of NSD’s function to satisfy itself that adequate standards are set for these inspections and appropriate records are kept of them. Regulatory standards The ALARP principle: UK safety law aims for risks to workers and the public from work activities to be made as low as is reasonably practicable (ALARP). Risks are judged against the costs of reducing them, and employers must remove or reduce a risk unless it would clearly be unreasonable to do so. Limits to prevent extreme risks must always be met, however much it costs. If the risk can be reduced still further at reasonable cost, this must also be done. Even when the point is reached where risks are so small they do not need to be made any lower, employers need to check that the plant stays this safe. NSD checks that licensees meet both the relevant laws and the ALARP principle. Tolerability of risk: Accidents must be avoided, just as routine radiological exposures must. There is a point where the chance of a major accident on a site would not be acceptable. If a risk cannot be made low enough, plant cannot be built, and will not be licensed. Even when the chance of serious accidents is small enough for a licence to be granted, licensees must still take steps to prevent such faults or their consequences. More must be done to prevent faults and to meet the ALARP principles for faults that could lead to the worst consequences. The ideas behind such an approach are explained further in HSE’s publication “The Tolerability of Risks from Nuclear Power Stations.” Safety standards: This ALARP approach calls for licensees, plant designers and operators to look closely at what can be done to reduce radiation exposures and risks of accidents. Judgement is, of course, needed about what is reasonable, and licensees must set out what they aim for. NSD monitors and questions decisions at every stage from the earliest design of a plant through to its decommissioning. It expects licensees to draw up their own design safety criteria and standards. NSD would look for standards to be based upon those of the IAEA, the British Standards Institution or the American Society of Mechanical Engineers. NSD’s inspection standards HSE’s safety assessment principles: NSD has drawn up safety assessment principles for nuclear installations (SAPs). These indicate to licensees and the public what standards HSE, through NSD, expects to see in designs for new nuclear plant. These principles give NSD’s views on what is achievable and set out the requirements for assessing the safety of designs. They reflect HSE’s views about the tolerability of risk. 206 The basic safety limits given in SAPs relate to the ‘Not allowed’ region of the ALARP figure, and basic safety objectives relate to the broadly acceptable region. SAPs also set engineering design principles. NSD looks for defence in depth. This means that the design must use many different complementary ways to minimise faults and prevent the escape of hazardous material, such as fission products, from the site. For example, in a power reactor, solid fuel helps by locking the fission products in the crystal lattice, while the fuel cladding, the primary pressure vessel, and secondary containment, all help by stopping radioactive materials escaping to the environment. Many of the principles deal with the other engineered safeguards or protection systems that help to preserve these physical barriers during faults or external hazards like fires, floods or earthquakes. The aim is for the plant to be reliably and effectively shut down, cooled, and controlled. NSD also looks at the effect that human error and operator behaviour might have on managing the plant at such times. Older UK plants were built before probabilistic safety assessment methods became widely available, and the SAPs are intended for new plant designs, but many of the principles deal with plant reliability and event probabilities for systems and components. NSD prefers probabilistic safety assessment to be used, both for system reliability and for fault analysis using, for example, fault and event trees. Licensees make such risk assessments as part of their safety case. This gives a way of judging designs and revealing weaknesses. Not enough is yet known about how structural and mechanical items behave and how human operators will work in complex faults to be able to accept computed results. This means that NSD does not think that a safety case can rely only on a probabilistic approach. The case must show that sound engineering principles have been used in the design; the probabilistic safety assessment confirms the overall robustness of the design concept. Inspection guidance Training: All NSD inspectors are university graduates, and most have at least ten years’ experience in industry. They cover a full range of engineering, scientific and human factors expertise. Most, but not all, will have come from the nuclear industry. Before a new inspector is given responsibility for a site, training is given. Upon joining NSD, they receive legal and technical training that is related to the types of inspection practices used for the different processes NSD regulates. Much of this training is appropriate to assessment inspectors as well as site inspectors, but one of the courses is quite specific to preparing for site inspection. This deals with the practical work of what to look at and how to conduct oneself on site. It includes how to carry out an investigation and collect evidence where the law may have been broken. Other courses concentrate more heavily on these aspects. Inspector’s discretion: HSE places much emphasis on the fact that its inspectors should use their powers with discretion and should act in the best interests of safety at all times. They cannot be present to stop every unsafe act, so they must manage their time to achieve the best overall result. This means that they must spend more time looking into some problems than others, although this will change as time or circumstances change. They need to use their experience to judge what to do. Compliance guidance: NSD’s guidance has been developed from its own experience of working with the UK system and from international best practices. The nuclear site licence used in the UK has 35 so-called “conditions”, many of which call for licensees to ‘make 207 arrangements’ to do something. For example, part of Licence Condition 22 deals with plant modifications: “The licensee shall make and implement adequate arrangements to control any modification or experiment carried out on any part of the existing plant or process which may affect safety.” NSD’s guidance then sets out what is looked for in those arrangements. For example, they should deal with: x Changes to plant or safety cases; x Deliberately overriding safety devices that have not been provided with a facility or do not have authorized operating or maintenance instructions for doing so; x Concessions on materials that do not meet their quality specifications; x Changes to plant operating rules, technical specifications or maintenance schedules; x Tests or experiments that could affect nuclear safety by changing the state of plant; x Any plant investigation that is not covered by operating or maintenance instructions. This list is not exhaustive, but if inspectors are in doubt about something that has been done without using the arrangements, they would judge whether what had been done seemed to fall close to one of these ideas. To avoid having too much detail on every piece of work that needs to be done on nuclear plant, the licence condition goes on: “The aforesaid arrangements shall provide for the classification of modifications or experiments according to their safety significance. The arrangements shall where appropriate divide the modification or experiment into stages. Where the Executive [HSE] so specifies the licensee shall not commence nor thereafter proceed from one stage to the next of the modification or experiment without the consent of the Executive. The arrangements shall include a requirement for the provision of adequate documentation to justify the safety of the proposed modification or experiment and shall where appropriate provide for the submission of the documentation to the Executive.” NSD seeks to ensure that licensees have three or four categories for judging modifications. These should ask whether, if the work was inadequately conceived or implemented, there could be: x x x x Serious radiological hazard on or off the site; Significant but less serious radiological hazard on or off the site; Minor radiological hazard; or No radiological hazard. Clearly, the more significant the potential safety risk could be, the more control is looked for by NSD. For category 1 modifications, NSD’s agreement will be sought before work begins. Inspectors will also check the design and installation of modifications. Inspectors use their experience and judgement to decide whether work in progress has been placed in the right category. 208 It is very important to ensure that any proposal is independently peer reviewed, in case some important nuclear safety issue is overlooked. This means that the regulator looks for a system that controls all work. For example, a contractor who digs a hole in a road could strike important power or cooling supplies, even though the work in hand appears not to have anything to do with nuclear safety. The peer review will ensure that thought is given to such problems by asking the appropriate questions. More serious modifications should receive more detailed consideration by the licensee’s organization and should call for more checks that: x x x x Higher level of peer review and authorization are applied; Higher quality standards apply to the work; Designers, assessors, and plant installers are more qualified and experienced; and Other plant or people are not put at more risk. Quality assurance General: High risk activities, such as nuclear power generation and aviation, can lead to widespread contamination or many deaths, so they demand a higher than average level of assurance that things will not go wrong. When there are many processes involved in carrying out an activity all day, every day by people who must co-operate to do the work, it is essential that systematic procedures are used. The most hazardous activities must receive the highest levels of assurance. To ensure this, licensees must have a QA system. The standards applied with such systems must be used throughout the whole process, not just parts of it. QA is not effective if it is only used at the end of a task to determine what can be accepted or needs to be rejected, so regulators need to be checking for signs that the staff really do believe in the system. Honest self-assessment and wanting to keep improving the safety system are important to its success. Licence requirement: NSD’s nuclear site licences call for licensees to have quality assurance arrangements covering all safety matters. Site inspectors look at the document or set of documents, procedures and instructions covering: x x x x x x x x x x x x x x x x Design; Construction; Manufacture; Commissioning; Operation; and Decommissioning; Management responsibilities structure and arrangements for: Key safety-related organizations; Interfaces with organizations; Specific tasks; Site staff; Individuals’ responsibilities for specific tasks; Types of controls to be applied and to what systems; Controls applied to procurement specifications and items received; Performance standards; and What is to be done if standards are not achieved. 209 Standards: Licensees use national or internationally recognised QA standards such as IAEA Safety Code 50-C-QA: 1988 and its associated guides, or ISO 9001 and British Standards for specific projects or procurement activities. Documentation: A common QA model used in UK has three levels: x Upper level: Policy document, setting out organization and key responsibilities for ensuring safety, quality and legal compliance; x Middle level: Manuals describing department responsibilities and how work should be done: Procedures for work involving more than one department; Post profiles setting out each individual’s authority, responsibility and accountability; Interface agreements and lines of communication with related organizations, such as company headquarters; x Lower level: Specific quality plans and detailed work instructions. Audit and review: Irrespective of the standards set out, there should be evidence that the licensee checks periodically and systematically that they are being achieved. This is not just a check that procedures are being followed; they may be wrong. Inexperienced inspectors often discover evidence in licensees’ audit reports that procedures are not being followed and assume that the quality will be wrong. This is not always so. The important thing to find out is what a licensee does when procedures are not being followed: x x x x Is an investigation carried out to see whether the written procedure needs to be changed? If the procedure needs to be changed, is it amended quickly? How are changes controlled? If a procedure is changed, is training given in its application? There should be evidence of a planned audit programme covering each year’s work and looking forward a few years. All safety related systems and procedures should be covered in, say, two to five years, depending on their safety significance. There should be clear evidence that findings from licensees’ audits have been recorded and made known to the person responsible for the activity — usually they sign to say that they have seen the statement. There should be a system for progressing and clearing actions. As well as the regular audits and progress of actions arising from them, there should be evidence that senior managers review the results each year, and match them with other results from the plant. They should be looking for signs that things may be going wrong in one particular area of the plant, or with one type of activity, such as up-dating of instructions or procedures, that may affect everything. Using the results of these audits and reviews, regulatory inspectors should then use their own observations and experience to choose how to focus attention on the more significant items. They may, for example, see whether they agree with the findings by carrying 210 out their own sample inspection or audit. Or they may highlight some of the findings from several audits and seek improvement on these. Use of licensees’ results Licensees’ inspection: Licensees carry out many inspections for their own or regulatory reasons. Regulators use results from these to reduce their own need to repeat the work and to ensure that the licensee has a responsible attitude to safety. Maintenance inspections. Maintenance surveillance records are important because they show whether plant condition is deteriorating. They need to be in a suitable form and stored in a way that makes them easy to refer back to. They are a vital source of information for regulators, who must have confidence that they give a true and complete story. It would be very bad for safety if something had been examined and was on the point of failure, but the person who carried out the inspection was not suitably qualified or experienced to do the job properly, so recorded the wrong result. It is also important that everything that should be inspected is listed and done. This may be difficult where access is not possible or inspection would take a long time. Equally, it can be difficult to be sure that everything that needs to be done at a site is being done. It is usually helpful for regulators to check what the safety case says and to compare what is done at other sites. Quality audits. Regulators should inspect the results from the QA audits mentioned on the previous page from time to time. They are usually one of two types, those that look deeply into a very narrow part of an activity, or those that look less deeply across many related activities. The deep audit checks every level of an activity, from the manager right down to the point of work. It is appropriate for looking at a task carried out within a single department. An example based on refuelling activity might check: x x x x x x x x Who decides what fuel to load and to where? Who authorizes it? Who does it? How is the fuel collected, checked and loaded into the reactor? What controls avoid putting people at risk throughout? What safety controls need to be operated or prevented from operating? What records are kept of what has been done? Is there anything about what is done that could be done better? The broad inspection is appropriate where several departments may be involved or the activity covers a longer time. Take, for example, the total fuel management cycle: Who orders fuel? How is it received, checked and stored on site? How is the issue of fuel for refuelling controlled? What checks are made that what is specified is right and that what has been done meets the specification? x How is the irradiated fuel managed? x How are other waste materials managed? x x x x 211 x How are all the wastes disposed of from site (if appropriate — if not, is there sufficient storage for the waste now and for the future?) x Is there anything about what is done that could be done better? The last question in each type of audit is aimed at ensuring that they are technical, rather than procedural audits. It is relatively easy to judge whether people are doing what the procedure says. (Often they are not until a few audits have highlighted the fact and changed the procedure.) The more important question is whether anything can or should be done to improve the chance of it being done more safely. It can be seen that the deep slice tends to examine much more of the technical issues to do with handling the fuel. The broad shallow slice covers more wide ranging issues that will tend to show how the activities are managed. Independence. It is vital to make safety and quality part of everybody’s work, rather than something done by somebody else at the end of the job, but some parts need to be carried out as independently as possible. This may mean that someone who needs to check that a particular installation is complete is given the task of saying how much else needs to be done. By changing their view of what they need to do, they may see something that the person who thinks the job is finished will not have seen. It is sometimes helpful if checks are carried out by people in a mutual support rôle. One checks another’s work this time, the other checks next time. The quality is measured by the lack of error, and neither individual wants to let the other down. This is not appropriate for every activity; sometimes more than one check is needed. The danger is that many people checking the same thing will not always add value to each other’s work. They must each be responsible for and look at something different. Conclusions. To be fully effective and to make licensees accept their responsibilities for safety, rather than to make them meet particular regulatory requirements, NSD has developed a system of inspection that relies upon using experienced staff who can judge for themselves what is important to safety. Even so, this cannot be done without additional training and guidance for its staff on how to apply the law and to use an important part of the UK system, discretion. NSD has produced quite extensive guidance for its staff, some of which is available to the public and its nuclear site licensees, so that the standards can be understood by those who need or wish to know. Even so, these standards need judgement to be used, and NSD’s training helps staff to use them appropriately. A major requirement is that licensees do as much as is reasonably practicable to reduce risks, and this is a duty on all UK employers. The major difference for the nuclear industry is that a licence will not be issued nor will permission be granted for activities that are considered to be extreme risks. When plant is found to meet NSD’s basic safety objective, or is broadly acceptable, NSD does not actively seek more improvement, but the licensee must make any reasonably practicable improvement, say, as a result of new technology. 212 The quality assurance programmes NSD looks for among its licensees are those based upon international standards for nuclear plant, although it also finds references to British Standards QA guidance in use. Although NSD’s inspectors are not resident on the sites, they use licensees’ audit and inspection results to judge whether all that can be done to ensure safety is being done. They use licensees’ results with their own experience and knowledge of the legal and practical problems with health and safely management to guide their own inspections. They are seeking to ensure that managers carry out reviews from time to time to constantly improve safety on their plants and to meet the ALARP principles at all times. 5. DOCUMENTATION 5.1. IAEA GUIDANCE FOR DOCUMENTS GENERATED BY THE OPERATOR AND THE REGULATORY BODY WITHIN AN AUTHORIZATION PROCESS 5.1.1. Documents produced by the operator Different types of documents are prepared by the operator in carrying out its responsibilities with respect to safety of a facility. This includes three categories of documents: x Documents required by the regulatory body for formal approval at the various stages of the authorization process; x Reports that are submitted to the regulatory body periodically or, for events, incidents or accidents which are identified in the regulations; x Documents that are prepared for the conduct of the activities related to the facilities and are made available to the regulatory body upon request. 5.1.1.1. Documents to be submitted to the regulatory body for review and assessment In applying for a license, the operator provides all relevant information describing the basic approach to safety in order to demonstrate that the nuclear facility will not present undue radiological risks to workers, the public and the environment. This includes safety objectives, principles, criteria, standards and analysis proposed for all authorization stages. The relevant information is presented so that the regulatory body can conduct the review and assessment process without needing to seek further information or clarification. Basic information provided covers each stage of the authorization process including: x Description of the site, including geography, demography, topography, meteorology, hydrology, geology and seismology; x Description of the facility, including layout of buildings and equipment; x Applicable safety regulations, guides and industrial standards; 213 x Safety concepts and criteria used in the design of the facility, including the classification of systems and components, the application of the defence in depth concept and the approach to the issues related to the human-machine interface; x Description of systems and components, including their design criteria, the processes involved, the modes of operation and testing. Analysis of the normal operation of the facility demonstrates the acceptability of the design, including a demonstration that radiation protection criteria, waste management requirements and effluent limits are met by the design. The results of a safety analysis are provided to demonstrate how the design of the nuclear facility and related operational procedures will contribute to the prevention of accidents, and to the mitigation of accidents if they do occur. This analysis describes and evaluates the predicted response of the facility to postulated initiating events which could lead to fault conditions. These analyses are extended to relevant combinations of such disturbances, malfunctions, failures, errors and events. Consideration should be given to aspects such as the assumed initial conditions, the physical or mathematical models used, their correlation with experiments, and the method of presenting the results. These analyses show the extent to which the facility can control or accommodate situations relating to the various events and fault conditions. The limits and conditions for safe operation are defined. If any part of the analyses has been independently reviewed by another organization, the results of this review are also presented to the regulatory body. Information regarding organizational matters is formally presented for review and assessment by the regulatory body. This includes a description of the quality system established to ensure that all items are designed, manufactured, constructed, assembled, tested, qualified, operated, maintained or replaced according to the safety requirements. This includes, topics such as: x x x x x x Management structure and resources; Quality assurance arrangements including internal and external audit; Organizational structure for the relevant stage of authorization; Qualification and training of personnel; Development of procedures; Documents and records control. Other plans and programmes that are established by the operator in support of its safety activities are also submitted to the regulatory body for review and assessment. These include areas such as: x x x x x x x 214 Radiation protection programme; Environmental monitoring programme; Emergency preparedness; Physical protection; Fire protection; Radioactive waste management; Research and development in relation to the safe design, operation, decommissioning or closure of the facility; x x Operation experience feedback; Decommissioning strategy. 5.1.1.2. Reporting by the operator The requirements for periodic or progress reports and the general criteria for notifying the regulatory body of events, incidents or accidents are specified in regulations or licence conditions. Periodic or progress reporting Reports are submitted from the operator at predetermined times or after completion of specific activities during the lifetime of the facility. During site evaluation and construction, reports serve to keep the regulatory body informed of the project development. These cover: x Progress of site studies; x Construction progress report; x Results of the pre-operational environmental monitoring programme. During commissioning and operation, reports are prepared to demonstrate to the regulatory body the continuous safety of the facility. These cover: x x x x x x Results of commissioning tests; Operational data, including data on the facility’s output and performance; Modifications; Results of the radiation protection programme; Results of the environmental monitoring programme; and Radioactive waste management. In order to enable the regulatory body to consider the release of any facility from regulatory control, reports include details of: x The amounts and destinations of radioactive decontamination/dismantling programme; x Levels of residual activity in the facility; x Results of environmental monitoring programmes. waste resulting from the Where it is necessary by the nature of the facility (e.g. for a waste disposal site), reports should also include details of: x The overall waste inventory; x The sealing arrangements; x Any institutional controls intended for the post-closure phase. Notification and reporting of events, incidents or accidents The operator notifies the regulatory body of any event considered significant to safety. The time and type of notification is established in regulations and depends on the severity of the event. 215 Depending on the severity of the events or the deficiency, an investigation should be carried out by the operator and a report prepared and submitted to the regulatory body within a specified period of time. The report covers details of the events, the findings of the investigation and a proposal for corrective action. Other reports During site evaluation and construction, any changes in the design or major nonconformances that may affect safety evaluation are reported to the regulatory body prior to the implementation of the changes. Any major design deficiencies identified during commissioning or operation is also analysed and reported. 5.1.1.3. Records to be kept by the operator The operator, having responsibility for the safety of the facility, keeps records of all activities that are considered safety related. The records, although not formally submitted to the regulatory body for review and approval, are made available upon request. Regulations establish the types of records that are kept and their retention period. This takes into consideration the possible future need to refer to the records and the difficulties of regenerating the information. Records of site evaluation and construction Results of site evaluation studies (geological data, meteorological data, hydrology data and results of the pre-operational environmental monitoring programme), construction design records, manufacturing records (including shop quality control results) and erection records (including quality control results and as-built design records) are kept in accordance with established regulations. They may be useful in the investigation of any later events or generic problems and in decommissioning. Commissioning records Records made during commissioning include equipment and system tests, test procedures and the results. The results are thoroughly evaluated by the operator and this evaluation should also be retained with the test results. The regulatory body monitors commissioning of the facility very closely and reviews commissioning tests results at each phase of the commissioning process before proceeding to the next phase. Retention of commissioning test documentation is required by regulations. Operation records Operational records are the main documentation to be used in the routine monitoring of safety by the regulatory body. This monitoring is conducted through the system of regulatory inspections. The documents to be retained by the operator for possible examination by the regulatory body include: x x x x x x 216 Output and performance records for the facility; Operating log books; Inventories of nuclear and radioactive materials; Records of periodic calibration and testing of equipment; Records of periodic testing of equipment and systems; Records of in-service inspections; x x x x x x x Records of preventive maintenance and repairs; Records of personnel training; Records of personnel radiation monitoring; Records of radiation monitoring and contamination records for the facility; Records of radioactive waste management; Records of effluent discharges and of the environmental monitoring programme; and Records of fault conditions. Records of modifications to the facility All modifications relevant to safety and their evaluation are recorded for possible reexamination. The regulatory body periodically examines the complete set of modifications to the facility in order to evaluate the effectiveness of the operator's control process and to ensure that all modifications relevant to safety have been submitted for its approval, in accordance with applicable regulations. Evaluation and records of events The event evaluation process and its results are recorded for all events above an established threshold of significance. Periodic review of recorded events is performed to identify trends and possible deterioration of safety levels. The regulatory body periodically examines the complete set of events in order to evaluate the effectiveness of the evaluation process, to ensure that procedures for notifications have been properly followed, and to identify trends in the collective set of events recorded at the facility. 5.1.2. Documents produced by the regulatory body for a specific facility The regulatory body treats the authorization process for each facility as a specific task which generates specific documentation. This may be similar to the documentation of similar facilities but should keep its individuality. The documentation can be categorized according to the main continuous functions of the regulatory body: review and assessment, inspection and enforcement, etc.. 5.1.2.1. Results of review and assessment The review and assessment performed by the regulatory body is discussed in Section 3. It requires the evaluation of the documentation submitted by the operator described in the preceding paragraphs. Records of information exchange between the regulatory body and the operator The process of review and assessment is conducted through exchanges between the regulatory body and the operator which is formally recorded. These concern mainly: x x x x Requests for additional information by the regulatory body staff; Questions formulated by the regulatory body staff; Responses by the operator (including those provided by its contractors); and Records of meetings between regulatory body staff and operator personnel. 217 These records are kept in an organized way which provides the possibility of retrieval according to different criteria, such as subject, type, date or originator. Documentation of the review and assessment At several stages of the authorization process a decision will have to be made whether a licence is granted. The regulatory body records in the form of a report the basis for such a decision. This report summarizes the review and assessment performed within the regulatory body and provides a clear conclusion about the safety of the authorized activity. Typically, the report covers the following topics: x x x x x x x x x Reference to the documentation submitted by the operator; Basis for the evaluation; Evaluations performed; Comparison with regulatory requirements and guides; Comparison with other similar (reference) facilities; Independent analysis performed by the regulatory body, or by consultants on its behalf; Conclusion with respect to safety; Reasons for the decisions made; Additional conditions to be fulfilled by the operator, if any. 5.1.2.2. Records of inspection activities The primary purpose of inspection reports is to record the results of all inspection activities and to provide the basis for notification of the inspection findings to the operator. The format and content of inspection reports are discussed in Section 4. Inspection findings are forwarded to the operator for necessary corrective actions. In some countries, the full inspection report is forwarded to the operator. Caution should be exercised in identifying individuals by name or post because of the possible implications for the individuals. From time to time the regulatory body may find it useful to produce a synthesis report covering a type of facility or a specific aspect and drawing together the findings from the relevant inspection, review and assessment report. 5.1.2.3. Records of enforcement actions Enforcement actions are taken in case of non–compliance. All enforcement actions are recorded according to an established procedure in accordance with the legal and regulatory practices. Whenever an urgent enforcement action has to be taken to ensure the safety of workers, the public and the environment, this action is confirmed in writing as soon as possible. 5.1.2.4. Licence document The authorization process (see 2.2) is the principal mechanism connecting the legal framework of the regulatory system (the law and regulations) with the responsibilities of the principal parties (the regulatory body and the operator) which are affected by the regulatory system. The principal purpose of regulations for a nuclear facility is to establish requirements, 218 both technical and administrative, that apply to persons, activities and facilities involved in a nuclear programme. Such regulations provide a basis for the more detailed requirements incorporated into licences. The license may also refer to non-mandatory technical guides or industrial standards in part or as a whole, thus making them mandatory. The licence establishes, directly or by reference, conditions governing the safe performance of these activities. Format of licences The format of a licence depends upon the content of authorization and conditions deemed necessary by the regulatory body for a given stage of the authorization process in accordance with the national legal procedures. For example, the licence may incorporate by reference the underlying documents and provide only material needed to define the basic terms not already described elsewhere. Thus, the format of a licence will vary not only between countries, but also within a country, from stage to stage and from licence to licence for a given stage. The licence contains information such as: x Statutory authority: The licence explicitly refers to the law and regulations on which it is based. x The issuing authority: The licence identifies the official designations of those who are empowered by law or regulation to issue the licence; whose signature and stamp will appear on the licence; and to whom the operator will be accountable under the terms of the licence. x Fulfilment of requirements: The licence includes a summary statement that in respect of safety all legal and technical requirements under the law for issuing licences have been fulfilled and that the proposed activities can be carried out without undue radiological risk to workers, the public or the environment. x Documentary basis: The licence identifies those documents provided by the operator in support of the application and those developed by the regulatory staff during the review and assessment process, which together form the basis for issuing the licence. x Relationship to other licences: The licence indicates whether it is contingent upon a prior authorization or is a prerequisite to a future authorization. x The operator: The licence contains a precise identification of the individual or organization both legally responsible for the licensed activity and in day-to-day control of the facility. x Period of authorization: The licence states an effective date of authorization. It may also include a termination date, which may be based on a fixed term, e.g. one or two years. Alternatively a period will be stated over which the assumptions underlying the licensing decision will remain valid and at the end of which the basis for licensing will be reexamined. x Licensed activity: The licence clearly describes with sufficient precision the nuclear facility, its location and the authorized activity. 219 x Operator’s responsibility for compliance: The licence contains an appropriate declaration that the operator has the responsibility for compliance with the legal requirements, regulations and conditions referenced or contained in the licence or otherwise applicable. The licence should also state that such responsibility is not transferable. Licence conditions Licence includes explicitly, or imposes by reference or attachment, conditions determined by the regulatory body which are obligations with which the operator is required to comply. Law and practices relating to licensing vary in states. Some states specify conditions in the law and in regulations of the regulatory body, merely referencing them in the licence, while other states include some or all conditions explicitly in the licence. Licence conditions cover as appropriate all safety-related requirements affecting the siting, construction, commissioning, operation and decommissioning or closure of the nuclear facility to enable effective regulatory control. These include such important aspects as: design requirements; radiological protection; emergency procedures; modifications; quality assurance; operational limits and conditions; procedures; and authorization of personnel. While the conditions may vary in format, there are certain basic qualities that characterize the set of conditions to make them understandable and effective. Each condition is consistent with all other conditions in that the fulfilment of one should not be in conflict with the fulfilment of another or with any other legal requirement. It might be useful to group the conditions into logical types, such as conditions which set technical limits and thresholds, conditions which specify procedures and modes of operation, conditions pertaining to administrative matters, conditions relating to inspection and enforcement requirements, and conditions regarding response to abnormal circumstances. Table XV presents examples of general and stage specific licence conditions. 220 221 The operator does not extend its activities beyond those specifically authorized in the licence without the prior approval of the regulatory body. The operator develops, preserves, updates and maintains a complete set of records related to the safety of the facility, including those referenced in the applications, and those required by law, regulations and the licence, and does not dispose of them except as authorized by the regulatory body. The operator carries out its activities in accordance with an approved quality assurance programme covering all stages of the authorization process, to provide a basic framework for ensuring that every step is carried out with due regard for safety. The operator reports facility modifications in accordance with requirements established by the regulatory body. The operator reports all accidents, incidents and events related to safety as may be required by the regulatory body. x x x x The operator takes such corrective actions or measures as the regulatory body may require in the interests of safety. The operator keeps the regulatory body fully and continuously informed with respect to any significant or potentially significant events or changes in the considerations, information, assumptions or expectations upon which the issue of the licence was based. x x x x General licence conditions include the following: x The operator provides the authorized representatives of the regulatory body with full access to personnel, facilities and records that are under the operator's control, where such access is deemed necessary by the regulatory body to determine compliance and to assess safety. TABLE XV. EXAMPLES OF GENERAL AND STAGE SPECIFIC LICENCE CONDITIONS. The operator initiates a pre-perational radiological study of the region including an appropriate baseline survey. x Commissioning is carried out in accordance with a programme approved by the regulatory body. Completed structures, systems and components important to safety are not put into service until they have been inspected, tested and approved as being in accordance with the terms of the licence. x x Commissioning: When authorizing commissioning of the nuclear facility, the regulatory body specifies a number of conditions, including the following: Furthermore, at the time of authorizing of the construction, conditions may be imposed on the operator requiring that it obtain from the regulatory body additional approvals relating to the design of certain parts of the nuclear facility. The nuclear facility is constructed in accordance with the design which has been approved by the regulatory body. The operator does not deviate from the approved design in any way that might affect safety without the prior approval of the regulatory body. The nuclear facility is designed and constructed in accordance with the relevant site parameters approved by the regulatory body. x x Construction: When authorizing construction, there are several conditions which are necessary to ensure that this stage can proceed in a manner that ensures the safe operation of the nuclear facility. These conditions include the following: Site preparation: When authorizing a site, the regulatory body specifies the controls which the operator is required to exercise over use of the site and the degree to which the operator may prepare the site, without conducting activities which, under the law and regulations of the state, require a construction licence. Stage specific licence conditions include the following: 222 Fissile or radioactive material is not brought onto the site without regulatory authorization. Beginning with the introduction of fissile and radioactive material into the facility, the operator operates the facility only under the control and supervision of authorized personnel using written procedures in accordance with the operational limits and conditions approved by the regulatory body. Any changes made to these limits and conditions have prior approval of the regulatory body. The operator has an approved emergency plan, co-ordinated with the other authorities involved in emergency preparedness x x x The operator has a modification procedure approved by the regulatory body to ensure that no part of the approved facility important to safety will be modified without the prior approval of the regulatory body. The operator ensures that the nuclear facility is subjected to in-service inspection and testing to be carried out as specified for structures, components and systems important to safety to a time schedule approved by the regulatory body. The operator ensures that maintenance of safety related equipment and systems is carried out in accordance with a schedule approved by the regulatory body. x x x Operation: In authorizing routine operation the conditions imposed under commissioning are appropriately amended in the light of commissioning results. The regulatory body adds conditions such as the following to this licence, when deemed necessary: x The operator does not operate the facility in excess of the maximum capacity level authorized by the regulatory body. The operator provides approved storage facilities for nuclear materials. The regulatory body may require appropriate physical security measures to be effective before nuclear material is brought into the facility. x The operator ensures that the nuclear facility is only operated under the control and supervision of authorized personnel in adequate numbers acceptable to the regulatory body. No changes are made to the arrangements, schedules, procedures or rules that have been approved by the regulatory body without such changes being given prior approval by the same body. Closure: Following closure of a waste disposal facility, continuing control, including environmental monitoring, may be needed. Depending on national legislation, requirements may be contained within a post–closure licence held by the operator or responsibilities may be taken by a relevant national authority prior to agreement to closure. Decommissioning: When authorizing decommissioning of a facility, the regulatory body takes particular care in specifying legally binding requirements to ensure compliance, since the sanction of shutting down the facility or revoking the licence is unlikely to be very effective at this stage. Other possible licence conditions relating to such matters as the liability of the operator in the event of accidents are not included. x x 5.2. COUNTRY SPECIFIC APPROACHES AND EXAMPLES 5.2.1. Use of licensing and commissioning documents in Finland [16] In the following, licensing and commissioning practices in Finland are presented as an example of a possible approach. The role of licensing documents is stressed. 5.2.1.1. Decision in principle of the Council of State The siting and construction of a nuclear power plant requires the decision in principle of the council of state stating it is in line with the overall good of society. The application is supplemented with the documents listed below. In accordance with Nuclear Energy Act, STUK makes a preliminary safety assessment of the application. The safety assessment deals with the potential for complying with the provisions of the Nuclear Energy Act and Decree and with the provisions of the Decisions of the Council of State. STUK therefore presents in its safety assessment whether factors have arisen indicating a lack of sufficient prerequisites for constructing a nuclear facility. Documents to be submitted to STUK An applicant forwards to STUK the documents dealing with the plant options in question. The documents aim to prove that the plant options comply with the regulations in force. For each facility option, the documents shall cover i.a. the following items: x Description of the facility and its reactor, primary circuit and containment as well as other safety systems; x Reference to facilities which have served as models and a description of the most important changes in comparison to them; x Description of the safety analyses performed for the facility; and x General plans for the facility’s implementing organization, the suppliers of the facility and the most important systems and components as well as quality assurance during implementation. As regards each facility option, STUK requests, at its discretion, other information necessary for the preliminary safety assessment. 5.2.1.2. Construction licence A nuclear power plant construction licence shall be applied for from the council of state. The application shall be supplemented with the documents listed in the Nuclear Energy Decree. STUK issues a statement on the application for a construction licence. The statement is supplemented with a safety assessment. Documents to be submitted to STUK The requirements for the licensing documents are described below. STUK gives a statement on the construction licence application after having approved the following documents by a separate decision. 223 Preliminary safety analysis report: The purpose of the preliminary safety analysis report (PSAR) is to demonstrate that safety regulations and factors affecting safety have been adequately covered. In the PSAR, at least the following items are to be accounted for: a description of the nuclear power plant’s safety principles and other design criteria and their fulfilment, a detailed description of the plant and the site, a description of plant operation and behaviour in transient and accident conditions and the environmental impact of the plant’s operation. Preliminary liaison with STUK on the contents of the safety analysis report is required. In the PSAR, a reference shall be made to the topical reports which play an essential role in the assessment of the safety analysis report. The purpose of topical reports is to give a detailed description of the kind of experimental research and theoretical analyses on which the plant’s design is based. The reports may be related to the facility in question or to an other facility of a similar type designed by the same supplier. Topical reports concerning i.e. the fuel, reactor, reactor pressure vessel, safety systems and containment shall be submitted. The reports shall present research results important to design and detailed descriptions of the calculation models employed for design and the codes employed for computer analysis. Topical reports shall be forwarded to STUK for approval so that they can be reviewed not later than in conjunction with the review of the corresponding item in the safety analysis report. The requirements for accident analyses are presented in guide YVL 2.2. Proposal for a classification document: The classification by their safety significance of structures, systems and components important to the nuclear power plant’s safety shall be presented in the classification document. Safety class affects the requirements placed on design, manufacture, installation, testing and inspections. STUK’s regulatory control as regards each item is determined on the basis of the safety class. The safety classification requirements are presented in guide YVL 2.1. Quality assurance for construction: The systematic procedures followed in their quality-related activities by the organizations taking part in the nuclear power plant’s design and construction shall be presented in quality assurance programmes. In addition to the licence applicant’s quality assurance programme, the quality assurance programmes of at least the facility’s main supplier, the supplier of fuel and the most important components and equipment shall be submitted to STUK for review. STUK also requests for review, at its discretion, the quality assurance programmes of other organizations which play a significant role in the carrying out of the facility project. The quality assurance requirements are presented in guide YVL 1.4. Plans for physical protection and emergency response arrangements: Physical protection aims at thwarting any unlawful activities against a nuclear power plant. A plan for physical protection during nuclear power plant construction and operation is presented in the preliminary security plan. The plan deals with plant protection by structural means and with administrative procedures. Emergency response arrangements are intended to restrict nuclear damage at the nuclear power plant and on-site in the event of an accident. A plan for emergency response arrangements during nuclear power plant operation is presented in the preliminary emergency plan. The plan deals with the taking into account of emergency response arrangements in plant design, and with administrative procedures. Detailed requirements are presented in guides YVL 6.11 and YVL 7.4. 224 Plan for the arrangement of the necessary control to prevent the proliferation of nuclear weapons: Safeguards controls aim to ensure that nuclear materials will not be used for the fabrication of nuclear weapons or other nuclear explosives. The plant design data, which include basic information of plant layout and operation and a description of safeguards control at the plant, is presented in the plan for the arrangement of control. The requirements concerning safeguards control and STUK’s regulatory control measures are presented in guide YVL 6.1. Preliminary probabilistic safety assessment (mini-PSA): Mini-PSA means a preliminary analysis at Level 1 of the probabilistic safety assessment (PSA). Level 1 constitutes the first part of the safety assessment in which the probability of reactor core damage is analysed. The MiniPSA is based on the design phase facility plan and examines the most important accident initiating events. The requirements concerning probabilistic safety assessment are presented in guide YVL 2.8. 5.2.1.3. Operating licence A nuclear power plant operating licence is applied for from the council of state. The licence application shall be supplemented with the documents listed in the Nuclear Energy Decree. STUK issues a statement on the application for an operating licence to which a safety assessment is attached. Documents to be submitted to STUK When applying for an operating licence, the documents referred to in the Nuclear Energy Decree shall be submitted to STUK for approval. The requirements for these documents are presented below. STUK gives a statement of the application for an operating licence only after having approved of the essence of each of these documents by a separate decision. Final safety analysis report: The general requirements for the preliminary safety analysis report also apply to the final safety analysis report. The safety analysis report together with its accident analyses and topical reports are based on actual nuclear power plant systems, structures and components. As a rule, the safety analysis report is made in Finnish. On application, STUK may give its approval for separately defined parts of the safety analysis report to be written in some other language only. In addition to the information on the nuclear power plant and the plant site, also descriptions of plant commissioning and operation is presented in the final safety analysis report. Probabilistic safety assessment: A probabilistic safety assessment (PSA) contains analyses at PSA Levels 1 and 2. Level 2 means an assessment of the likelihood and quantity of the releases of radioactive materials. The analyses are based on actual nuclear power plant systems, structures and components. Quality assurance programme for operation: The systematic procedures which during nuclear power plant operation are applied to activities affecting quality are stated in the quality assurance programme for operation. The requirements for the quality assurance programme are presented in guide YVL 1.9. Technical specifications: The technical specifications determine the limit values for the process parameters most important to safety which are to be observed in the plant’s various operational states as well as the limitations caused to plant operation by possible component failures. The 225 technical specifications also state the requirements for the tests and inspections important to safety by which the operability of systems and components is periodically ensured. Furthermore, the technical specifications determine the minimum number of personnel required to be present during the various nuclear power plant operational states as well as the radioactive materials release limits. Summary programme for in-service inspections: The in-service inspections of components and structures important to safety to be conducted periodically after commissioning, are laid down in the summary programme for in-service inspections. The programme contains the items scheduled for inspection and their scopes, methods and periods of inspection. The in-service inspections requirements are presented in guide YVL 3.8. Physical protection and emergency response arrangements: Plant lay-out, systems and components as well as the structure and areas of responsibility of the plant’s operating organization are taken into account in the security and emergency plans. Arrangement of the necessary control to prevent the proliferation of nuclear weapons: The arrangement of control is presented in the manual for the nuclear materials accounting and control system. The requirements concerning the accounting and control system are presented in guide YVL 6.9. Administrative rules: The duties, authority and responsibility of a nuclear facility’s responsible manager, his deputy and the personnel directly required to operate the facility are specified in the administrative rules. Furthermore, the administrative rules state the competence requirements for the personnel. The duties, authority and responsibility of the licensee’s organizational units are more extensively presented in a separate organizational manual or some other corresponding document which is forwarded to STUK for information. Environmental radiation monitoring: The systematic measures to monitor the occurrence in the nuclear power plant’s vicinity of radioactive materials originating in the nuclear power plant are presented in the environmental radiation monitoring programme. Measures in accordance with the programme are initiated already prior to the plant’s commissioning. The requirements for the environmental radiation monitoring programme are presented in guide YVL 7.7. 5.2.1.4. Regulatory control of construction and commissioning According to the Nuclear Energy Decree, the various phases of nuclear facility construction may be started only after STUK is satisfied for each phase. STUK exercises detailed control over the construction of the facility. This control aims to ensure that the conditions of the construction licence, the regulations which apply to pressure vessels and the approved plans are complied with and that the nuclear facility is built, also in other respects, in accordance with the regulations issued by virtue of the Nuclear Energy Act. During construction, control is focused on the working methods in particular to guarantee high quality. Inspection and testing of nuclear facility systems, structures and components can be performed only by the licensee or, in his place, by an inspector or an inspection facility that has been specifically accepted by STUK for this purpose. The licensee shall appoint a responsible manager and his deputy for the construction of a nuclear facility who have approval from STUK for this job. The qualifications required of the responsible manager are presented in the Nuclear Energy Decree. 226 Management of and quality assurance during construction A high level safety culture and efficient quality assurance shall be observed during nuclear power plant construction. Apart from the licensee, this also applies to all the organizations participating in the project whose activities affect the safety of the nuclear power plant. STUK oversees construction project management and quality assurance during construction by inspections carried out at its discretion. I.a. the following items are subject to inspections: x x x x x Organizational structure and conduct of management; Competence and adequacy of personnel; Review of issues relevant to safety; Implementation of quality assurance, overall and in various sectors; Control by the licensee over the implementation of his own quality assurance and that of the suppliers and subcontractors. Concrete and steel structures STUK controls erection of buildings and manufacture of concrete and steel structures important to safety. This control contains: x x x x x Pre-inspection of structures; Inspections at the construction site concerning readiness to start work; Inspections concerning manufacture; Construction inspections of steel structures; and Commissioning inspections. Safety class of structures is taken into account when determining the scope of control and when setting the requirements. The requirements for and control of concrete and steel structures are presented in guides YVL 4.1 and YVL 4.2. Only organizations and individuals that have been granted approval by STUK are allowed to perform licensed inspection and expert duties relating to concrete and steel structures. guides YVL 1.3 and YVL 4.1 present these duties and the procedures of granting approval. Components STUK controls the manufacture of pressure vessels and other mechanical components for nuclear power plants. This control contains: x x x x Pre-inspection of components; Inspections concerning manufacture; Construction inspections; and Commissioning inspections. The safety class of components is taken into account when determining the scope of control and when setting the requirements. The requirements for and control of mechanical components are presented in YVL guides, categories 3 and 5. Only organizations and individuals that have been granted approval by STUK are allowed to perform licensed inspection and expert 227 duties relating to mechanical components. Guide YVL 1.3 presents these duties and the procedure of granting approval. STUK controls also the design, manufacture and installation of electrical and instrumentation equipment for nuclear power plants. The scope of control contains: x x x x Pre-inspection of components; Inspections concerning manufacture; Inspections concerning installation; and Commissioning inspections. Safety class is taken into account when determining the scope of control and when setting the requirements. The requirements for and control of electrical and instrumentation equipment are presented in guide YVL 5.5. Procurement of nuclear fuel According to sections 114 and 115 of the Nuclear Energy Decree, STUK controls that nuclear fuel is designed, manufactured, transported, stored, handled and used in conformity with valid regulations. The nuclear fuel licensing procedure and STUK’s regulatory control are presented in other YVL guides explaining the requirements which apply to the design, manufacture, transport, handling, storage and use of nuclear fuel. 5.2.1.5. Preparations for operation: organization and training Pursuant to the Nuclear Energy Decree, STUK controls that the organization operating the facility is adequate and appropriate and that the individuals participating in the use of nuclear energy meet the qualifications required and that proper training is arranged for them. Development and training of the organization for operation shall begin early enough during the construction of the nuclear power plant. When reviewing the administrative rules and organizational manual, STUK assesses the appropriateness and adequacy of the organization and the qualifications required. According to the Nuclear Energy Decree, the licensee shall appoint a responsible manager and his deputy for the operation of a nuclear power plant who shall have approval from STUK for this job. Furthermore, pursuant to the Nuclear Energy Decree, the licensee shall appoint persons responsible for emergency response arrangements, physical protection and safeguards. Those appointed to the duties referred to above must have approval granted by STUK for their specific jobs. Pursuant to the Nuclear Energy Decree, the operator of the facility systems in the main control room of a nuclear facility must have STUK’s approval for the job. The plan for the hiring of personnel referred to in guide YVL 1.7, the time of their hiring and initial training programmes, shall be submitted to STUK for information. STUK controls the implementation of the initial training programmes by inspections conducted at its discretion. Prior to the start of the operation of the nuclear power plant, STUK inspects that the qualifications required are fulfilled. The requirements for the training of nuclear power plant personnel and operator licensing are presented in guides YVL 1.6 and YVL 1.7. 228 Commissioning A trial run is an essential part of a nuclear power plant’s commissioning. It serves to demonstrate that the plant is built and operates according to design. The trial run is divided into the following main parts: systems tests, fuel loading and pre-criticality tests of reactor systems, reactor criticality and tests at low power, and tests at various power levels. STUK controls nuclear power plant trial runs by reviewing the overall trial run plans and programmes, by witnessing the tests conducted at the power plant and by inspecting the trial run result reports. Nuclear power plant operation is considered to begin when the loading of nuclear fuel into the reactor is started. At this stage, to ensure that the plant conforms to the regulations which apply to it, STUK inspects, according to the Nuclear Energy Act, that: x Documents concerning the operation of the plant are acceptable in every respect; x Operating procedures, the procedures for transients and emergencies included, are adequate; x The organization operating the nuclear power plant is adequate and appropriate; x Persons taking part in the use of nuclear energy are qualified as required; x Persons who have approval from STUK have been appointed as the responsible manager for the operation of the plant and his deputy; x There is a sufficient number of licensed operators at the plant; x For the operation of the plant, persons responsible for the emergency response arrangements, physical protection and safeguards have been appointed, who have approval from STUK; x Commissioning inspections with acceptable results have been carried out for plant systems, components and structures; x The results of systems tests are acceptable in so far as the trial run can be accomplished without the reactor; x Basic inspections of structures and components have been accomplished; x Physical protection and emergency response arrangements are sufficient; x The necessary control to prevent the proliferation of nuclear weapons has been arranged appropriately; and x The licensee has, as prescribed, arranged indemnification liability in case of nuclear damage. Reactor loading may be started when STUK has approved the loading application and the reactor and fuel behaviour reports for the first fuel cycle. The reactor may be made critical and brought to a higher power level in conformity with STUK’s decisions. When the trial run has ended, the licensee and STUK will carry out an overall assessment of the results. Based on the results of the trial run, also the technical specifications are reassessed. Based on the assessment the licensee makes in the document, the necessary changes approved by STUK. The requirements for and control of the trial run are presented in guide YVL 2.5. 229 5.2.2. Structure and content of the QA manual (Germany) During the commissioning of GKN unit 2, the authorities required a quality assurance manual (QM) pertaining to obtain the operating licence. The design and the content of this manual was developed together with the representing authority and their appointed independent experts (TÜV). The major goal of the authority requirement for a QA manual, was to collect all items of QA relevance into one manual as a standard and to certify them on the base of the actual international publications of QA rules. The result is a paper where each employee of the plant can easily find all rules and regulations in a clearly articulated and structured manual to ensure a safe and reliable plant operation. The QA manual has two parts. Part one is the quality assurance programme that is a brief description of the QA regulations at GKN. Within 80 pages, an overview is given of all QA items. Part two includes the detailed instructions for all QA items and consists of approximately 800 pages. The reasoning behind this structure is the German method of a specific regulatory control: the authority is only responsible for the administrative tasks because normally their employees do not have any technical background. To examine e.g. modifications from the technical point of view, an independent expert is appointed (TÜV or other independent organizations) which is then obliged to directly report to the authority. To avoid finding that all documents have to be evaluated and licensed by the responsible authority, only documents with essential and substantial subjects are classified as a safety specification (SSP). It is not allowed to modify SSP without approval given by the responsible authority. All other documents which are not SSP but which contain safety related regulations, are approved by the TÜV without authority participation, however, the responsible authority receives all informative assessment reports from the TÜV. Correlating to this philosophy, part one of the QM is classified as SSP and part two of the QM only has to be approved by the TÜV. Most manuals are designed in the same manner. The QM has two parts. Part 1 is the QA programme and part 2 includes several detailed QA instructions for specific items. The general structure of the QM is as follows: x x x x x x x x x x x x x 230 Introduction and objectives; Scope of application; Internal organization principles; Organization; Plant modification procedure; Plant operation; Procurement and storage; Manufacturing; Arrangement system and distinguishing; Preventive maintenance; Repair; Commissioning after modifications; Periodic tests; x x x x x Surveillance of measuring- and test-equipment; Handling of deviation; Experience feed back; Document handling; Surveillance of the QA system. Further on each QA item is described in detail. Plant modification procedure As an authority requirement, all nuclear power plants in the region of BadenWürttemberg have the same modification procedures. This procedure is described in detail in part 2 of the QM. In particular the classification of the modification is tightly regulated due to the components concerned. There are 4 modification categories: x x x x Cat. A: Licensing needed before modification can proceed (e.g. increase of power); Cat. B: Licensing procedure (e.g. modification of SSP); Cat. C: Assessment by TÜV; Cat. D: Own response modifications. Plant operation The objectives of plant operation are regulated in detail within the operation manual (OM). Several OM Chapters, which are marked as SSP are as follows: x x x x x x x Work permission procedure; Control room and shift regulations; Radiation protection regulations; Fire protection regulations; Personnel injury regulations; Alarm regulations; Physical protection regulations. All other aspects of plant operation are also described in the QM. Procurement and storage An essential part of QA in NPPs is based on management of controlled spares. Therefore the following aspects: x Selection and assessment of manufacturers; x Warehouse control of incoming items; x Storage; x Spares issue. must be very strictly regulated in order to avoid component failures. 231 Manufacturing Manufacturing as a special part of the above item, has to focus on the documentation. Especially when the TÜV is involved, a special procedure of handling the manufacturing documents and the investigation of the production of spare parts is necessary. This is equally valid for work done by contractors as well as for work done on site. Arrangement system and distinguishing Correct identification of components, spare parts and documents are essential prerequisites of a safe plant operation. Therefore a detailed regulation is contained within several QA instructions. Preventive maintenance Preventive maintenance, among other things, is equivalent to periodic tests, an item with the highest grade of regulation depth. The regulations are contained in several different documents. So the QM has to point out the maintenance philosophy and to refer to the different documents. The major questions to be answered are as follows: Who is competent/responsible? The responsibilities have to be defined very clearly without any overlapping; Personnel oganization (part of the OM); Work permission regulations (part of the OM); What must be done? All components/systems have to be listed; Maintenance list which is part of the maintenance manual); When does it have to be done? For every component to be maintained, an interval must be defined; Maintenance list (part of the MM); How does it have to be done? For every component to be maintained, detail instructions for dismantling; Controlling and assembling have to be created; Maintenance instructions (part of the MM); What about plant safety? There are a lot of restrictions caused by the availability of the safety systems. Possible unavailability has to be analyzed for each plant state (full power, shutdown, a.s.o.). Prohibited and corrective actions must be defined; x Regulations for power operation (part of the OM); x Regulations for shutdown condition (part of the OM); x System safety classification list (QA instruction, part of the QM). x x x x x x x x x x x x x x x x Repair Repair of damage on components must be done taking into consideration the same QA aspects as described above for the preventive maintenance. In addition, the procedures pertaining to event reporting and experience feedback must also be regulated. Experience feedback has it’s own chapter in the QM. Reporting criteria for events. National and international scale (part of the OM). 232 Commissioning after modification Large plant modifications such as the installation of e.g. new systems or an increase of power in the plant, must be tested afterwards in a similar way as the first plant commissioning was done. Responsibilities, necessary procedures (system check, pressure test, a.s.o.) and sequences, have to be regulated as well as the forms which are to be used. Preparation of commissioning documents (QA instruction, part of the QM). Periodic tests To assure a safe plant operation, periodic tests are an essential prerequisite. They certify the component reliability between the various maintenance activities. Latent failures need to be identified immediately. Especially within the I&C, which has no preventive maintenance, there is a major field for periodic tests. Similar to the preventive maintenance, periodic tests affect plant operation in a far- reaching way and the same questions must be answered. The regulations are held within several different documents. The QM then sets out the testing philosophy and refers to the different documents. The major questions to be answered are the same as those presented for preventive maintenance: Surveillance of measuring- and test-equipment Measuring- and test-equipment must be calibrated as an essential prerequisite to ensure reliable periodic testing procedures. Test equipment must be classified, listed and calibration intervals must be fixed. Responsibilities must also be regulated. Handling of deviation Deviation is the failure of the detected actual condition to match the desired condition. Deviations can be either administrative (procedures) or technical. The QM describes a general procedure for handling deviations. Analysing procedures, internal and external reporting, information of the responsible authority, remedial actions and precautions against repetition are only some items that must be regulated. The QM has no relevant procedure for all of the various deviations but it refers to several documents which regulate deviations in special cases (e.g. fault reports) and it describes the general philosophy of deviation handling. Experience feedback Experience feedback is an important part of the QA system. It helps to avoid faults and events. Therefore a local procedure was created which deals with all essential items beginning with a root cause analyses above reporting to the authority and ending with the decision to realise plant modifications. Document handling A joke says, if our descendants will dig out an NPP in some thousand years, they will conclude that it is a paper factory with all their product still in stock. In view of such an incredible amount of documentation and the absolute necessity to keep it up to date and available for everyone, one can imagine how important it is to have a 233 detailed procedure for document handling, arranged in a clearly defined structure. The following items must be regulated: x x x x x x Responsibility for document content; Responsibility for document servicing; Responsibility for document proving and release; Document design layout and structure; Distinguishing; Archiving. Especially the modern archiving systems such as micro films and micro fiches including further the development of computer data memory, brings a lot of changes along with the need of detailed regulations for documentation manual and document handling (QA instruction, part of the QM). Surveillance of the QA system Just creating a QA manual is not enough to guarantee a high quality in plant operation. Education of personnel is equally necessary. In QA, training in use of procedures makes people aware of the importance of QA, and also helps to convey a deeper understanding for the relationship of all QA aspects. The third step necessary is good control of the QA system. There is no need to control people if the rules are being followed, but one must also check the applicability of the procedures. An audit team is responsible for audits and to co-ordinate them together with the concerned departments. Afterwards a written report must be supplied to the Plant Director. Deviations found by the audit team must be commented with suggestions for improvements. The management decides upon the implementation of the improvements suggested. After implementation, an audit follows which will check and confirm the improvements. (Internal Audits (QA instruction, part of the QM)) 5.2.3. Use of the licensing documents and updating procedures The licensing documents are the bases of the contract between the licensee and the safety authority. They should be sufficient for the licensing process and provide enough details to allow conformity inspections. Generally, a lot of documents are referenced in the Safety Analysis Reports. Thereby, these documents belong to the reference and should be provided at request for assessment. 5.2.3.1. Use of the documents Assessment of the documents can be done in different ways, but which can complement each other. Use of detailed adapted regulation The first and most usual way of assessing plant safety from documentation is to check, step by step and topic by topic that the relevant guides are properly applied or that another 234 convincing method has been implemented to reach a safety level at least equivalent. The Section 5.2.1 shows, as an example, the correspondence between each licensing step and/or each specific item and the Finnish system of guides. Such a verification is needed as these documents are the base of the regulatory system in the country but this method has few chances to lead to the discovery of unexpected difficulty as the applicant built this documentation while using the same logic. Use of internationally available review process In countries where the regulation is less extensive the use of the standard review plan developed in the USA in coherence with the Safety Analysis Report plan (RG-1.70) can be useful. But each formalised list of questions is limited by nature and as these documents are difficult to update, the latest developments in safety will not be covered. In addition such rather general documents could be more or less influenced be specific designs and cultures. Considering the operating procedures to be applied in accident conditions, the high performances characteristic for most western plants lead to rather short grace periods. Operating personnel are not always graduate engineers. Detailed procedures, easy to use without additional deep thinking, are strictly necessary. For VVER 440 units, the very large thermal inertia provides hours prior to any significant damage to the fuel for a significant list of abnormal conditions such as the complete loss of power or the complete loss of steam generator feed-water. The scientific knowledge of the operating personnel is generally recognised (and must be checked in any case as a specific item of the review). A different type of procedure can be acceptable to cope with these situations and still ensure safety . Cross checking examination Following the same logic that the applicant’s gives few chances to find unsatisfactory aspects. It can be beneficial to use other methods, such as the consistency of the operating rules with the design assumptions and requirements. Two examples will illustrate this approach: 1. Average primary circuit temperature/pressure diagram (see Fig. 17): The authorized working region must be the translation in operational terms of several design assumptions. Checking the appropriateness of each limit will insure appropriate margins during operation. The limit Psat, (Tsat — 30°C) provides a satisfactory margin for pressurizer operation, and avoids boiling elsewhere in the primary circuit. The limit Psat, (Tsat — 110°C) restricts the maximum temperature difference between the pressurizer and the hot line and decreases the fatigue effect in the pressurizer and the surge line during the operational transients. 235 Pressure in bars French 1300 MWe PWR n 160 155 140 Saturation curve + 110 bars SG tubes 120 Temperature variation d 28°C/h Saturation curve - 110°C Surge line 100 Maximum RHRS temperature 80 Saturation curve - 30°C Low limit of connection between RHRS and RCS 60 Presuriser operation Protection against overpressure Saturation curve 40 31 27 25 Primary pumps NPSH limit 20 0 0 50 100 150 160 180 Mean primary temperature °Co 200 250 297,2 306,5 FIG. 17. Average primary circuit temperature/pressure diagram. The limit (Psat + 110 bar), Tsat limits the maximum pressure difference on the steam generators tubes. The limit at 160°C provides margin against sudden rupture of the reactor vessel at the end of its life (Nil Ductility Transition Temperature — NDTT). Below this limit, the protection against over pressure in the primary circuit is done by the residual heat removal system and is efficient at 35 bar instead of 172.3 bar. The maximum temperature variation speed in normal condition, d 28 qC/h, is consistent with the design conditions of the pressure vessel (200 full range cycles over the plant life). In case of incidental depressurisation, the limit is 56 °C/h (acceptable 20 times over the plant life). The plant monitoring can be helped by computer assistance showing the operation status inside the diagram. 2. Analysis of the incident and accident procedures: It is current practice to check: x x The limits of accidental conditions covered by the procedure; The symptoms and information needed to make the diagnosis; 236 x x x The operation strategy compared to the accident analysis; The conditions of staff training; and The interface with non affected plant equipment. It is also important to establish the complete list of equipment and information available during the management of the situation to assess: x x x x x x The qualification of the equipment to operate in the conditions of the accident as considered in the design such as ageing, radiation, temperature, humidity, seismic conditions; The measuring range; The accuracy of the sensors and indicators compared to the specific needs (this is particularly important for the measurement of the water level in the reactor vessel in symptom oriented procedures); Periodic testing frequency and acceptance criteria; The required availability in operating conditions and limits; The documentation and training up dating. As these areas of assessment tend not to have been systematic in the past, significant findings are to be expected. 5.2.3.2. Documentation updating During the operation period, a large part of the documentation provided with the final safety analysis report related to the description of the plant, the design basis and the safety systems do not need updating. Such documentation should even be applicable to several units if they replicate each other. A flexible practice should make it possible to have a basic description of standard plant documentation, specific site documentation and, for each unit, specific data such as “as built” information”. Documents related to the operation phase like technical specifications, operating procedures, periodic testing program, preventive maintenance, etc. need periodic review and, to some extent which can differ from a country to an other, regulatory agreement prior to implementation. This practice of preliminary agreement helps define the conditions for up dating. The third case relates to the updating of operational documents and general documentation available for the operating team after a plant modification. These documents shall be modified strictly at the time the new conditions are considered as operational to ensure continuity between the plant, its description and the operational practices. Clear indexation of the documentation to meet the QA requirements is also vital. Modified documents should even be available for training prior to the effective use of the modification. Documentation review is needed every 10 years for the periodic safety review as it provides the starting point for this assessment. Definition of the revised shape is a part of the periodic safety review process to be defined by the regulatory body. 237 6. DEVELOPING SAFETY 6.1. THE ROLE OF THE REGULATOR IN THE DEVELOPMENT OF SAFETY CULTURE The basic concept of safety culture has been presented in the INSAG-4 report [10] (see Fig. 18). The approach to developing safety culture has much in common with that needed to develop an effective organization. This development process can be assisted by the use of a learning process within an organization to promote a dynamic progressive culture of safety. Safety culture has to be inherent in the thoughts and actions of all the individuals at every level of the organization. The leadership from management is crucial. FIG. 18. Illustration of safety culture [10]. For developing safety culture it is important to recognize that safety culture is about people, their organization and interactions. Human aspects to consider cover behaviours and attitudes of the people involved, this also includes perceptions formed from influences, past experiences, peer pressures or cultural sources. It is equally important to pay attention to the organizational structures, the communications within and between the groupings and such aspects as organizational culture. This means examining the rules, policies and decision-making levels. All organizations need direction and the management style of those in charge directly affects the attitudes, behaviour and motivations of those who have to carry out the work. It is management’s prime task to gain the confidence and trust of the workers and to engender a sense of “ownership” in the organization. This sense of owning or belonging has a very positive impact on motivation and 238 subsequently progressive promotion of safety values, attention to detail, questioning attitudes and a vested interest in individual and organizational safety goals. Every situation and organization is unique and influenced by the national culture. It is necessary that the national culture is taken into account when assessing or attempting to understand safety culture. Some societies have values and behaviours which differ markedly from other areas of the world not only in the acceptable patterns of work but in managerial style, authority levels and the degree of questioning attitude. All these aspects need to be considered when developing a safety culture compatible with international norms but incorporating national practices and cultures. The characteristics of a good safety culture are listed in [25 and 26]. These should be used as a checklist to compare the organization’s status and to develop appropriate conditions as required. An organization with a good safety culture relies on the close interdependence between technical safety and organizational processes. Continuous learning and improvement processes play a central role in the development and maintenance of a good safety culture. It is apparent that nearly all organizations involved in nuclear activities have in common a concern for safety and how to improve and maintain it. There is diversity among organizations in their understanding of safety culture. This variation can be described by using three stages each of which displays a different awareness of safety. The characteristics of each stage, identified below, provide a measure for regulators and operators to be used as a basis for self-diagnosis. The characteristics may also be used by both organizations to give direction to the development of safety culture, by identifying the current position and the position aspired to. It is, therefore, important for regulatory authorities to recognise at which stage its licensees are. 6.1.1. Stage of safety culture — safety is solely based on rules and regulations At this stage, the licensee sees safety as an external requirement and not as an aspect of conduct that will help the organization to succeed. The external requirements are those of national governments, regional authorities, or regulatory bodies. There is little awareness of behavioural and attitudinal aspects of safety performance, and no willingness to consider such issues. Safety is seen very much as a technical issue. Mere compliance with rules and regulations is considered adequate. For an organization that relies predominantly on rules, the following characteristics may be observed: Production is seen as all important; Safety is viewed as a technical requirement; Technical problems are not anticipated; the organization reacts to them as they occur; Organizational problems are not resolved; The decisions taken by departments and functions concentrate upon little more than the need to comply with rules; x The role of management is seen as endorsing the rules, pushing employees and expecting results; x x x x x 239 x There is little or no awareness of work or business processes; x Communication and cooperation between departments and functions is poor; x People are viewed as system components — they are defined and valued solely in terms of what they do; x There is an adversarial relationship between management and employees; x People who make mistakes are simply blamed for their failure to comply with the rules; x There is not much listening or learning inside or outside the organization which adopts a defensive posture when criticised; x Regulators, customers, suppliers and contractors are treated cautiously; x People are rewarded for obedience and results, regardless of long-term consequences. 6.1.2. Stage of safety culture — good safety performance is an organizational goal An organization at this stage has a management that perceives safety performance as important even in the absence of regulatory pressure. Although there is growing awareness of behavioural issues, this aspect is largely missing from safety management methods that comprise technical and procedural solutions. Safety performance is dealt with, along with other aspects of the business, in terms of targets or goals. The organization looks at the reasons why safety performance reaches a plateau and is willing to seek the advice of other organizations. 6.1.3. Stage of safety culture — safety performance can always be improved An organization at this stage has adopted the idea of continuous improvement and applied the concept to safety performance. There is a strong emphasis on communications, training, management style, and improving efficiency and effectiveness. Everyone in the organization can contribute. Some behaviours are seen within the organization which enable improvements to take place and, on the other hand, there are behaviours which act as a barrier to further improvement. Consequently, people also understand the impact of behavioural issues on safety. The level of awareness of behavioural and attitudinal issues is high, and measures are being taken to improve behaviour. Progress is made one step at a time and never stops. The organization asks how it might help others. For an organization that develops safety performance continuously, the following characteristics may be observed: x Safety and production are seen as inter-dependent; x The organization begins to act strategically with a focus on the longer term as well as an awareness of the present. It anticipates problems and deals with their causes before they happen; x Short term performance is measured and analysed so that changes can be made which improve long-term performance; x People recognise and state the need for collaboration among departments and functions. They receive management support, recognition and the resources they need for collaborative work; x People are aware of work, or business processes in the company and help managers to manage them; 240 x Decisions are made in the full knowledge of their safety impact on work, or business, processes as well as on departments and functions. There is no conflict between safety and production performance, so safety is not jeopardised in pursuit of production targets; x People are respected and valued for their contribution; x The relationship between management and employees is respectful and supportive; x Almost all mistakes are viewed in terms of work process variability. The important thing is to understand what has happened rather than find someone to blame. This understanding is used to modify the process; x The existence of conflict is recognised and dealt with by trying to find mutually beneficial solutions; x Management’s role is seen as coaching people to improve business performance; x Learning from others both inside and outside the organization is valued. Time is made available and devoted to adapting such knowledge to improve business performance; x Collaborative relationships are developed between the organization and regulators, suppliers, customers and contractors; x Aware of the impact of cultural issues, and these are factors considered in key decisions; x The organization rewards not just those who produce but also those who support the work of others. Also, people are rewarded for improving processes as well as results. The above characteristics describing each of the three stages of evolution could serve as the basis for a survey to establish which stage an organization has reached. The above descriptions of each of the three stages of evolution of safety culture are clearly relevant to large organizations typically associated with major nuclear installations. The majority of the characteristics are also relevant to smaller organizations or groups of people involved in a wider range of nuclear activities such as industrial or medical radiography, or the operation of research reactors. Large scale organizations present particular challenges on ensuring that there are good communications and co-operation between the various functions within the organization. Communications tend to be more direct in smaller groups. The response to pressure from peers is likely to be quicker in small groups, but partially countering this, is the potential influence that the culture of a professional institution can have on individuals within these groups. Multi-cultural influences may thus be more visible in smaller groups. In large organizations there is more likely to be a dominant organizational culture. Pursuing the development of a good safety culture in a small group may necessitate some attention to the status of safety culture in any professional institutions affecting people in the group. Irrespective of the size of the organization a pre-requisite for the development of a good safety culture is the visible commitment of the person or persons responsible for leading the organization or group. The process for the development of safety culture can be assisted by the use of a learning process within an organization. A person or organization learns by reflecting on what they have experienced, formulating concepts and ideas for change while continuing existing best practice. The implementation of such concepts and ideas is intended to improve performance and, thereby, modify future experience. At an appropriate time this modified experience can itself be reviewed and lessons learned and when additional ideas are implemented, the cycle is repeated. Regulatory bodies need to promote the feedback of 241 experiences and the establishment of learning processes to update current thinking and practices. There are a wide range of practices that are of potential value in the practical development of a progressive safety culture. Many practices are already identified in INSAG4 and some additional practices not specifically mentioned in INSAG-4 are already commonly accepted as being of value in the development of an effective organization. A subset of practices which are judged to be of particular relevance to the development of a safety culture is described later in more detail. The time scale required to progress through the various stages of development cannot be predicted. Much will depend upon the circumstance of an individual organization and the commitment and effort that it is prepared to devote to effect change. Historical experience to date indicates that the time scale for change can be long but it should be recognised that many of the organizational concepts that have provided a new perspective on the influence of culture on safety, have only been conceived in recent years. Now that these concepts and supporting principles are acknowledged internationally, and practical experience is being shared, it may well be possible to progress through the stages more rapidly. However, sufficient time must be taken in each stage to allow the benefits from changed practices to be realised and to mature. People must be prepared for such change. Too many new initiatives in a relatively short period of time can be organizationally destabilising. The important point to note is that any organization interested in improving safety culture should start and not be deterred by the fact that the process will be gradual. 6.1.4. General practices to develop organizational effectiveness Within an organization safety culture is a subset of the wider organizational culture. Many practices which are used internationally to improve organizational effectiveness can contribute to developing improved safety. This section contains information on some of these general practices. Many organizations recognise the importance of ensuring that there is unity of purpose among their employees, and that they are motivated to achieving the organizational goals. These organizations also recognise that guidance should be given to employees on how they should behave towards each other, and towards others external to the organization. Openness, trust and two-way communication are keystones to establishing effective organizations. The concepts of vision, mission, goals and values are often used to achieve the above desired requirements. Although normally used in a business planning context, these concepts can also be usefully applied to promote safety improvement. The individual concepts are briefly described below in the context of safety. Vision The vision describes in a few keywords the future aspirations of the organization, and paints a picture of where the organization would like to be in future. The time scale for achieving the vision will vary with each organization, but generally the time scale is several to 242 many years. A vision can be used to align the efforts and energies of employees. An example of a safety related vision for an organization would be “to be regarded as the best safety performer in its sector of industry. The creation of the fundamental vision is the responsibility of top management but it is essential that employees have an opportunity to learn and understand the driving force for the vision so that they are committed to achieving it. There is a great responsibility on all managers to communicate the vision to their workforce. Mission The mission briefly summarises in a few paragraphs what has to be done in order to achieve the vision. It may refer to the organization’s intended relationship with employees and external groups. It may also contain quantitative targets and can undergo change during the time frame of the vision. Goals There will be a range of actions that have to be taken to achieve the mission. Each action will have a specific goal. Each goal can be regarded as a focal point for an action plan within the organization and serve as motivation for employees. An example of a safety related goal is “to reduce the average radiation exposure of employees by 10% during the next year”. Values Values are those standards and principles which people in a group or locality might share. values govern attitudes which show themselves in the behaviour of people towards each other. In organizations values will be present implicitly. The aspirations of an organization for how people should be treated, and how the people themselves want to be treated, may be explicitly stated in values set by top management. These values have to be shared and must be made known to all levels of the organization. They are considered inviolate. A value that addresses safety is that “safety is never compromised”. Process for developing and implementing a vision, mission, goals and values The real power of these concepts is less in the words created than in the process used to create it. Employee involvement is essential, but there is a particular emphasis on top managers and their subordinate managers to lead, communicate and seek input from their workforce. These concepts have no benefit unless they are genuinely shared by the workforce. Developing a safety related vision, mission, goals and values may be a good starting point and a focal activity for initiating improvements in safety culture. Once the vision, mission, goals and values have been developed, a strategic plan should be developed to facilitate its implementation. This strategic plan should include policy, organizing, planning and implementation, a means of measuring performance and review mechanisms, supplemented by appropriate audits. Coaching of employees by managers to improve safety performance is important. There should be a process of continuous evolution of improved safety rather than satisfaction with achieving safety targets. In Stage III, an organization will probably be moving toward the 243 development of these facilitation skills in all individuals who will serve in leadership positions within the organization. Experience has shown that organizations characterised as being very open to the public, professional associations and the regulator as well as internally have gained in both public confidence and in the successful management of safety. Confidence and trust can easily be lost when secrecy and a tendency to cover up on failures is discovered. It will generally take a long time before confidence and trust can be recovered. Openness is also a basic requirement for the sharing of experiences, which in turn, provide a basis for an organization’s ability to learn and improve over time. Most successful organizations actively encourage teamwork among their employees. A team is a group of people who are committed to work together to achieve some common objectives. The combination of individuals in teams generally results in a more effective solution to a problem or achieving an objective. This is particularly true when the problem is of a complex nature and its solution requires the input of different disciplines. Continuous evolution of improved safety performance An organization needs to focus on continuous evolution. In other words no matter how well the organization is currently performing, it always needs to be looking at how it might perform better still. This includes looking at ways current systems and processes might be improved, and also looking at how advantage can be taken of changing technology. Continuous evolution is most effectively sustained by focusing on improvements generated by employees. It is recognised that the design of a nuclear facility has to be frozen at some stage, but this does not prevent evolution of future design standards. The concept of employee empowerment can be misunderstood. It does not mean the abdication of management accountability or uncontrolled and undirected employee participation. The aim of empowerment is to provide employees at all levels, and in all parts of the organization, with the skills, support and commitment required to maximise their contribution to organizational performance. A commitment to the continuous evolution of improved safety performance and the empowerment of employees to contribute to that improvement can be a potent force in achieving sustained high levels of safety. The involvement and commitment of senior management in pursuing high standards of safety is essential. Without a visible and genuine demonstration of this commitment by personal behaviour and leadership example by management, other workers in the organization will not be convinced of the importance of safety compared to other organizational issues. Words without deeds will create an illusion of safety that will result in the development of a superficial safety culture. To support the development of a good safety culture, senior managers can contribute by: x Gaining understanding of safety culture concepts and practices by undergoing appropriate training; x Demonstrating a leadership style that has an appropriate balance between caring and controlling; 244 Being visibly interested in safety; Having safety as a priority item on the agenda at meetings; Encouraging employees to have a questioning attitude on safety issues; Ensuring that safety is addressed in the strategic plans of their organization; Having personal objectives for directly improving aspects of safety in their areas of responsibility; x Regularly reviewing the safety policy of the organization to ensure its adequacy for current and anticipated circumstances; x Monitoring safety trends to ensure that safety objectives are being achieved; x Taking a genuine interest in safety improvements and giving recognition to those who achieve them, and not restricting their interest to situations where there is a safety problem. x x x x x Senior management should ensure that their organization has a safety management system that provides a structured, systematic means of achieving and maintaining high standards of safety performance. The board of management of an organization which possesses the highest level of executive authority should routinely discuss and review safety performance. A practice adopted by some boards of management is to nominate one of their members to assume a special responsibility on behalf of the board in monitoring safety performance and the proactivity of line managers in implementing plans that include seeking improvements in safety. Development of a strong safety culture can result in more effective conduct of work and a sense of accountability among managers and employees. They should be given the opportunity to expand skills by training. Thus, the resources expended result in tangible improvements in working practices and skills. This consideration should encourage further development to improve safety culture. In promoting an improved safety culture there have been different emphases, with some countries favouring an approach giving a high profile to the use of behavioural sciences while others have emphasised the quality management system approach to enhancing safety performance. There is consensus that account should be taken of both national and organizational culture in promoting an improved safety culture and an appropriate balance of behavioural sciences and quality management systems approaches should be pursued. Many of the features of a strong safety culture have for a long time been recognised as good practices in many areas of safety activities, for example in the nuclear industry as well as in other industries such as aviation. What has emerged in recent years is more emphasis on a systematic approach to the development of an improved safety culture. There is an increasing awareness of the contribution that human behavioural sciences can make to developing good safety practices. Just as nuclear facility performance relies on the technical advice of specialists, some aspects of safety and organizational performance can be improved by seeking advice from experts in the behavioural sciences. Safety culture is important in that it is an influence on behaviours, attitudes and values which are important factors in achieving good safety performance. Organizations with mature safety cultures focus more on the overall goals and key points rathers safety culture by setting 245 an example from their own organizational practices and by applying the principles of good safety culture in their interactions with the operator. It is vital that the regulator understands the safety culture factors necessary to supplement technical expertise. The basic concept of safety culture has been presented in the INSAG-4 report safety culture [10]. The approach to developing a safety culture has much in common with that needed to develop an effective organization. This development process can be assisted by the use of a learning process within an organization to promote a dynamic progressive culture of safety. safety culture has to be inherent in the thoughts and actions of all the individuals at every level of the organization. The leadership from management is crucial. Safety culture applies also to conventional and personal safety, not only nuclear safety. All safety considerations are affected by common points of belief, attitudes, behaviours and cultural differences closely linked to a shared system of values and standards. 6.2. THE ROLE OF ASSESSMENT IN THE DEVELOPMENT OF SAFETY CULTURE 6.2.l. How to measure safety culture No composite measure of safety culture exists. The multi-faceted nature of culture makes it unlikely that such a measure will ever be found. Changes are usually slow and often imperceptible. Nonetheless, historic experience demonstrates that over finite periods of time cultural changes can be discerned, and the same should be true of safety culture. To assess progress in the development of safety culture we may have to abandon the search for a single composite measure and concentrate on identifying the range of indicators that reflect the individual sub-components of culture. The basic range would comprise measures for observable behaviour, conscious attitudes and perceptions or beliefs. In [25] it is discussed the use of behavioural measures, attitudinal measures and perception or belief measures. Behavioural observation and attitudinal surveys fit well for self-assessment in operating organizations. Detecting incipient weaknesses in safety culture is a tool that fits well for regulators and their inspection programmes. There is often a delay between the development of weaknesses in an organization’s safety culture and the occurrence of an event involving a significant safety consequence. Alertness to the early warning signs allows remedial actions to be taken in sufficient time to avoid adverse safety consequences. Regulators have an obvious and legitimate interest in maintaining safety culture, and whilst it may not be practicable and appropriate for them to prescribe a safety culture, they have an important role to play in encouraging organizations to identify, understand and apply positive steps to improving safety culture. Currently, most regulatory regimes are geared to negative feedback; hence it is important to stress practices that develop strong safety culture. However, it is important that regulators also be alert to incipient weaknesses in safety culture, and therefore guidance on symptoms to look for when carrying out regulatory duties, are also needed. When safety culture first start to deteriorate, the most obvious early warning signs are those associated with a significant accumulation of corrective actions that have not been processed, together with a growing list of outstanding actions that also have high safety significance. The nett result of this large amount of outstanding work is that the organization doesn’t know quite how to deal with the ever-growing demands on its all-too-obviously finite 246 resources. As a consequence of these pressures, organizations start to become more rigid, less outward-looking, less communicative internally, and they also appear much less interested in learning valuable lessons, and applying relevant knowledge from other sources. In this increasingly overloaded and under-resourced situation, organizational responses to crises start to become highly ritualised. For example, there might be a constant refrain that demonstrably defective procedures will somehow need to be re-written, that training must be improved, and that operatives must take more care. However, in practice few, if any, effective remedial measures are ever taken, and appropriate design and equipment modifications also become stalled, simply because the organization has chosen to adopt, in the first instance, a fire-fighting, and then finally, a siege mentality. In this situation, social loafing (leaving it to others) and ultimately, learned hopelessness (ritualised recognition of the apparent futility of an individual’s own actions) increasingly start to manifest themselves as individuals perceive that their own particular efforts are unlikely to count for anything in the overall battle for survival. As the problem of countering the growing list of remedial actions becomes increasingly acute, senior management find that they do not prioritise their actions effectively, and as a result they start to attach and apportion blame to those individuals who appear to be the source of their problems. In its extreme forms, such scapegoating behaviour can be focused not only on those who are trying to prevent safety problem repetition and who wish to learn the necessary lessons, but even on the immediate victims of safety deviations. Some safety cultures can also start to deteriorate simply because managers come to believe that safety performance is satisfactory, or else because its “champions” relax, become complacent, move on, or simply drop their guard. However, in general, though not in every case, most of the behaviours outlined above tend to occur as a direct consequence of highly significant corporate change processes. Very often, social, political, or commercial pressures can start to affect the ways in which utilities plan and operate, with the result that uncertainty then becomes a way of life. In this climate, safety behaviour is not only not rewarded, but sometimes can sometimes even be punished, with the result that business survival becomes an even stronger influence on corporate behaviour than safe corporate behaviour. The first early warning signs of deterioration need to be heeded because there is difficulty in revitalising a successful safety culture. Even though the situation can, at times, appear hopeless, there is every likelihood that early detection of the problem will lead to early diagnosis and the application of effective remedial measures. For example, an “assisted blitz” on outstanding corrective actions can very often lead to early feelings of management success and a resumption of corporate control, with the result that those directly affected by the work backlog can see that senior management is not only committed to stabilising the situation, but that they are also prepared (at least in the short term) to prioritise safety over production objectives; that they are leading from the front; and that they are taking “ownership” of the problem. Regaining effective control of the safety mission, and applying appropriate remedies at the earliest possible moment, therefore, is probably the most valuable investment that a utility can make when faced with an apparently deteriorating safety culture. It is important that regulators are aware of the early warning signs of a weakening safety culture so that remedial actions can be taken to avoid adverse safety consequences. Currently, most regulatory regimes are geared to negative feedback, but the ability of the regulator to encourage the operator to identify, understand and take positive steps to improve Safety Culture is extremely important. 247 The following are features that regulators and operators should pay attention to when inspecting and assessing the plant and other facilities. Some features are associated with the information provided to the regulator by the operating organization, many are points to be monitored by regular observation and which can be used to provide indicators to the level of safety culture in an organization. They are not difficult to detect and relate directly to the actual situation. 6.2.2. Organizational issues Organizational support Safety culture does not exist in isolation and is influenced by the prevailing organizational climate or culture. It is important that the organizational culture be supportive of safety, particularly in encouraging the appropriate behaviours, attitudes and values among employees. Tangible evidence of a supportive organizational culture includes the following: x Visible leadership and commitment of senior managers to achieving good safety performance; x Understanding by employees that safety performance is important to the future success of their organization; x Employee involvement in safety improvement activities; x Effective communication of safety information including safety performance trends; x Focus on learning from problems rather than allocating blame; x Primary organizational goals include safety and are not focused on cost or financial targets only; x Adequate allocation of financial and other resources to the support of safety. Evidence of the presence of the above attributes can be obtained by observation, employee interview or questionnaire survey. Questionnaires should be designed with care to ensure their consistency, reliability and validity. Table XVI collects common safety culture components that are useful in safety culture assessments. TABLE XVI. COMMON KEY SAFETY CULTURE COMPONENTS x x x x x x x x x x x x 248 Top management commitment to safety. High priority of safety. Strategic business importance of safety. Frank and balanced relationship with the regulators. Proactive and long-term perspective. Quality of documentation and procedures. Sufficient and competent staff. Clear roles and responsibilities. Openness and communications. Involvement of all employees. Housekeeping. Organization learning. x x x x x x x x x x x Visible leadership. Systematic approach to safety. Absence of safety versus production conflict. Appropriate relationships with other external organizations. Management of change. Compliance with regulations and procedures. Proper resource allocation. Team work. Motivation and job satisfaction. Good working conditions with regard to time pressures, work load, stress. Measurement of safety performance. External environment pressure Many organizations are subjected to increasing economic and business market pressures that are forcing them to reduce significantly their cost base, often through downsizing of their workforce. In some regions of the world there has been major political and social change that has impacted organizations both directly and indirectly. These changes create uncertainty in organizations that inevitably affect the behaviour and attitude of people. Organizational goals and priorities can change significantly and there is the potential for safety standards and performance to be adversely affected. Attention should be paid by all involved, either in the management or regulation of safety, to how change is being managed to ensure that the principles of good safety are not being jeopardised. Organizational insularity Organizational insularity can cause safety culture to deteriorate simply because managers come to believe that their safety performance is satisfactory and therefore become complacent. Managers have no benchmarks or learning opportunities. Insularity can be internal to an organization. Plants and facilities belonging to the same utility often create and display very different and operational styles and identities. Whilst this can assist in promoting a feeling of corporate identity, and individualism useful in building morale, it has undesirable elements in its influence on safety culture. Regulators need to review the organizational and operational aspects of each plant and compare these aspects such as interaction with other plants, interchanges of staff and information and collective problem solving. It is not a healthy sign to detect a lack of communication and interaction and the regulator should be alert for signs of plants “not talking to each other”. Small differences in style, approach or for local adjustment are acceptable but the aim should be for a consistent and open attitude to prevail across all the plants at a utility. It may not be immediately obvious to regulator or utility management that such large differences exist, however, it is in both their interests to review and rectify any shortcomings between sites or plants. It makes the regulator’s job easier to deal with a standardized approach and it makes economic sense for utilities to function as a family and profit from the ‘pooling’ of ideas and resources. This is, therefore, an area that warrants further investigation by the regulators to determine on a regular basis that an ‘open’ and interactive organizational style prevails between the plants under their jurisdiction. Openness Open and honest communication between regulator and representatives of the operating organization is essential if the former is to be able to assess and evaluate the safety culture. Difficulties in obtaining information may be a sign that there is a weakness in the safety culture. An organization striving to improve and develop its safety culture should be willing to share its experience with others as well as using the experience to improve its own safety. With deregulation and increased competition there may be a tendency to restrict information on the grounds of commercial value. This should not be allowed to escalate and undermine the openness of the relationship between the regulator and the organization. An increase in requests for information to be treated as commercially confidential may be an early 249 sign that a barrier to mutually beneficial information exchange and opportunities for sharedlearning are being erected. This could ultimately degrade the safety culture. This may also extend to the openness of the organization to participate in and contribute to international exchanges and initiatives. 6.2.3. Regulatory issues Corrective actions The existence of an effective self-assessment, root cause analysis and corrective action programme is a positive indication of a good safety culture. Measuring the number of open corrective actions and the length of time for which the actions have been open is a good indicator of general managerial effectiveness in planning and organizing work, allocating priorities and monitoring the progress of implementation. This is particularly important when the corrective actions are safety related. Many organizations maintain databases of corrective actions and construct an index to indicate the status of corrective actions. An example is provided here of one possible index which takes account of both the number of corrective actions and time open. Patterns of problems Part of the ongoing monitoring of compliance and plant status checks normally carried out by the regulator is the collection of information from varied sources. By arranging this information in pre-determined categories it is possible to create a profile or pattern of similar situations from which preliminary conclusions can be drawn. The range of categories is dependent on the system available for information to be reported and analyzed, however, it should be comparatively simple to create a list of safety culture attributes based on, for instance INSAG-4, against which reported or observed occurrences can be recorded. Such a collection can then be arranged into areas of recurrence or patterns of problem areas with which to commence further investigations into the causes. Repetition of problems usually indicates that the root cause was not identified correctly and that whatever corrective action may have been implemented was not adequate. Information can be collected from formal or informal sources and where possible should be corroborated or cross-checked to validate its accuracy. This data collection and analysis method can be used to produce trended information to indicate levels of reported performance by sections, groups or departments of the plant. Whilst they are not true indicators of performance trends are guides that can alert the regulator to areas of concern based on actual plant sourced information. Procedural inadequacies Documentation is the lifeblood of an organization and regulatory requirements demand that it be acceptable in quality and content. It is also required that safety documentation be complied with and, therefore, it must be up to date and reflect the actual situation. Normal quality assurance audits and checks should cover these requirements, however, these are usually not performed often enough to monitor the day to day status of review and revision. 250 An important element of safety culture is that employees will have confidence in procedures and use them correctly. However, it is essential that the regulator has an indication of the situation pertaining to regular documentation reviews and that any deteriorating situation is detected at an early stage. Failure to detect and rectify non-standard situations regarding procedures, etc. will lead to plant employees ignoring instructions, losing confidence in documented requirements and probably taking unilateral and unsafe actions. The slippage of review dates and revision issues is a strong contributor to poor safety culture and can also indicate weaknesses in other areas such as management, configuration control, resourcing and safety decision-making. It also influences morale, as the employees often perceive that if the documentation is neglected then other areas of concern are suffering as well. Regulators should, therefore, monitor on a frequent basis not only the quality of presentation, format and availability of documentation but also insist on a list of review dates, current status and delays. This list can then be checked on-site with random inspections of procedures, etc. to verify what has been revised and whether the reporting and review system is working. A large number of documents that have exceeded their review dates indicates a significant weakness in documentation management and requires urgent regulatory intervention. Quality of analysis of problems and changes Regulators have to be sure that any analysis carried out at the plant follows a systematic, auditable system that will ensure the correct methods are used, that validation is performed and that the correct solutions are defined. Too often the process is circumvented due to inadequate identification of the problem, lack of resources and knowledge or time constraints and these can lead to inappropriate actions being taken. In the case of plant modifications the regulator usually demands a safety justification to be presented prior to approval and this should be drawn up in accordance with pre-determined requirements set out by the regulator. Typically, these should include the philosophy, statement of problem, proposed courses of action, justification and independent review by the utility. A root cause analysis has to be undertaken to ensure that the real cause of the problem is identified and evidence of the adequacy of this can be readily checked by the regulator through monitoring the re-occurrence of similar problems. The establishment of a review and analysis group at the utility with the correct level of experience and qualifications will add confidence to the analysis process, however it is important that the regulator checks regularly that this group remains in place. Training and demonstration of root cause analysis should also be demanded by the regulator with regular checks on the composition of the group and random examination of the root cause analysis carried out by the group to monitor accuracy. It may also be possible at multi-site utilities for the regulator to cross check submissions from plants on the same or similar submissions to identify any anomalies which may indicate a serious mismatch in review and analysis techniques. In all cases the emphasis must be on systematic and conservative assumptions that can be related to risk and the accepted safety criteria. The fundamental principles of safety culture namely, prudent and rigorous approach, questioning attitude and communications underpin 251 the need for all safety case submissions and root cause analyses to be carried out with due regard for the possible consequences. Whereas sufficient attention may be devoted to technical plant modifications, the same is not always true for changes in organizational systems. Yet it is the latter that may have very serious consequences for the ability of the organization to develop a sound safety culture. High quality in analysis usually also requires an integrated approach i.e. to have a broader view of safety and recognising the need for integrated analyses with the involvement of different specialists. In order to be more proactive the analyses performed also need to include a long-term perspective. Lack and failure of independent nuclear safety reviews For all nuclear safety-significant proposals and modifications, independent nuclear safety assessments, should be undertaken by persons other than those who have undertaken the original work. In a healthy safety culture, these assessments will always have been fully documented, and checked for methodological, calculation and technical accuracy and validity, using approved procedures. As well as providing evidence that a safety culture is continuing to produce documentation to an approved regulatory standard, regulators and licensees will wish to satisfy themselves that there is continuing commitment to the production of high quality independent safety documentation, that all necessary checks are being made on a regular basis, that assessments are consistent with the level of change being contemplated, and that reviewers are fully conversant with the implications of the proposals, in addition to any provisions that might be necessary to provide assurance that the proposals will work in practice. Reality mismatch A well-developed safety culture will always be consistent with the nature of the safety case and the state of the plant. What this means in practice is that the plant state and configuration will always match the assertions of the safety case, and the plant condition will always support and enhance the requirements of the safety case. In other words, the plant state, configuration and condition must, at all times, be fully consistent with the claims that are being made in the safety case and that likewise the claims that are required in support of the safety case must never make demands on plant or personnel which are unrealistic or unreasonable. A well-developed safety culture will prompt plant management to make such consistency checks for themselves, whereas a less-well developed safety culture will usually result in regulators’ having to insist that such checks are made. Suitable checks can be made on a room-by-room, system by system or function by function basis, as appropriate to the claims made in the safety case. Which ever means are used, it is essential that the provisions of the safety case are at all times fully reflected in the reality of the plant and personnel characteristics, and if licensees are seen to be inattentive to such matters, regulators may have to make such checks themselves. If this were to become necessary, it would be indicative of at least three basic shortcomings in the licensees’ safety culture. First, the regulator would have to be concerned that the licensee was not making the necessary cross-checks, and that, amongst other things, this could indicate a lack of commitment. Secondly, such inattention would be indicative of the fact that communication and co-operation within an operating organization were not properly developed. Thirdly, such a situation would not only place an 252 undue burden upon a regulator, but it would tend to indicate that the licensee did not possess a learning culture, which would then be a major concern. Violations Non-compliance (violations) tend to be recorded by most licensees to varying degrees, in relation to breaches of operating rules and operating instructions. Such reports can be of variable quality and detail but almost all will be notifiable to the relevant regulatory bodies. Not only do violations provide a rich insight into the operational performance and compliance characteristics of any organization, and a fertile ground for investigation into general and specific problem areas, but they also serve to indicate whether a licensee is radically different to others operating similar plant. Whilst recognising that there will, of necessity, be some important differences between the reporting levels and criteria that must apply as between nations, it is possible, nevertheless, for a licensee to benchmark itself in relation to others in a similar class, e.g. those operating similar plant or similar age. Such benchmarking can provide valuable insight into the relative success with which a licensee is managing its affairs, and is indicative of the extent to which its safety culture is keeping up with the evolution of other comparable organizations. For example, if a licensee had plant that was broadly similar in design, age and operating regime to another licensee’s installations, and which, even after allowing for reporting level differences, experienced a disproportionately high incidence of non-compliance as compared to its counterparts elsewhere, this would be a matter for investigation by both licensee and regulator. As a minimum, such an investigation would need to account for the apparent differences between apparently comparable installations. This would indicate, first of all, the presence of a learning culture, and therefore a potentially strong safety culture at work. In addition, it would provide the basic raw material for the necessary corrective actions that one would expect to flow from such an investigation, thereby satisfying the requirement of continuous improvement and a desire to remain at the fore front of the nuclear community. Repeated requests for dispensation to regulatory requirements Requests for dispensations to existing regulatory requirements can occur, particularly prior to restart after a planned outage. When requests are frequent this should trigger a review of the adequacy of the regulatory requirement, or of whether production priorities are being over-emphasised at a possible disadvantage to safety. The latter would be a sign of a weakening safety culture. When requests for dispensations are made at the last minute the regulator is placed in the unenviable position of having to prevent production restarting, with the associated economic consequences; instead of the focus being on the inadequate planning and work implementation by the organization. The latter are signs of weaknesses in the organizational culture that clearly have consequences for safety. 6.2.4. Employee issues Excessive hours of work A significant factor in the degradation of personal performance is fatigue. Safety culture relies on optimum output in the areas of attention, questioning attitude, diligence and fitness for duty, however, all these are adversely affected when a person is tired and stressed. Working hours must be formulated and regulated to allow individuals to perform their allotted duties within reasonable time scales without imposing undue pressures which can induce 253 unsafe and undesirable consequences. Transition from normal to additional working hours is an accepted part of industrial life, however, excessive and sustained overtime work can lead to safety problems and is unfortunately all to frequently sought by the worker. Regulators can check the hours worked by staff, either permanent or contractors, to monitor the acceptability of overtime and to identify cases of excessive or sustained attendance hours. Many incidents have included the influence of overtired and stressed individuals as a contributing cause and this is one area that needs to be identified and analysed by the regulator as a category in occurrence trending. Persistent abuse of overtime and the continued re use of staff on call-outs or replacement work would indicate to the regulator that resource levels and planning of work require investigation. The potential for excessive working hours is particularly acute in outage periods and when combined with the attendant pressures of meeting deadlines and the physical stresses often experienced under outage conditions can lead to a serious degradation of safety culture. Number of persons not completing adequate training Training plays an integral role in the safety culture of an organization and the regulator would want to be assured that adequate attention was being paid to the quality and applicability of training programmes. These aspects are checked by submission, examination and acceptance of the training required by the regulator, however, the attendance and performance of staff at training sessions needs ongoing attention. Regular checks on the status of training hours and the results of training testing are easy to undertake and when added to the profiles obtained from analysing other safety culture areas can provide additional indication of the commitment level of staff and management. When this information is correlated with the results of occurrence analysis, particularly, if groups or departments are highlighted it provides supporting evidence to the regulator that further investigation and targeted corrective action may be needed in the area of training. Failure to use suitably qualified and experienced persons All nuclear plant operations should employ suitably qualified and experienced persons. Whilst this is a basic requirement, and even a licence condition for many operating regimes, it is apparent that it cannot always be achieved in practice. Such failure tends to show itself in those incident and accident event reports that conclude that further training/retraining etc. of personnel is required. Suitably qualified and experienced persons can be readily identified and recruited, however, by careful attention to the needs of a given job. This proactive approach includes identification of the principal duties and responsibilities of the job holder, the attributes required for the tasks to be performed and the preparation of a profile outlining the characteristics that would be required of any job incumbent in order to carry out the duties effectively. Poor safety cultures would tend not have job profiles available, nor would they make the necessary attributes explicit, whereas good safety cultures would not only have all the basic systems in place, but they would seek to use incident feedback, amongst other things to identify any personnel deficiencies, and incorporate any such identified features into their selection and recruitment procedures for future application, as appropriate. The presence of unsuitable and inexperienced personnel becomes readily apparent when checks are made regarding knowledge and experience requirements against the basic skill, knowledge and task capability that is available within a workforce. Such checks can be made by means of skills and job task analysis. 254 Understanding of job descriptions Typically in poor safety cultures, some individuals are not fully aware of the full requirements, responsibilities and accountabilities of their job. This can arise either because job descriptions have not been properly prepared in the first instance, or else because individuals have not been properly briefed on the expectations of their employer. In either case, it will be apparent that there is the potential for a significant mismatch between the expectations of the employer and the employee. In order to check that this is not a safety culture concern, the licensee should produce the necessary safety components of the relevant job descriptions. The regulator should then require evidence that there is a one to one correspondence between the job holders’ understanding of their respective job responsibilities, and the licensee should be able to produce evidence that the job holders actually understand the requirements of their jobs as defined by the licensee. In the first instance, such confirmation could take the form of a simple written affirmation that the jobholder has received, agreed and understood the job description, and that the licensee is confident that the job holder understands the job description and the general requirements. This would probably need to be followed up by way of further confirmatory checks, however, such that, wherever possible, key job holders would be asked to outline their jobs, and indicate their competence, skills, knowledge, background and experience, which would all be evaluated against the job descriptions that had been prepared. Where necessary, further checks would then be made at the discretion of the regulator, by seeking confirmation of the suitability of both job descriptions and job holders as evaluated by additional external agencies, such as the operators of similar plant and/or recruitment/training specialists. Contractors An emerging trend in plant maintenance and support is the increased employment of contractors to replace traditionally plant based personnel. Whilst this has financial benefits for the Utility it often comes at the expense of safety, either directly as a result of lower contractor standards or the indirect effects on permanent plant employees. Control and direction of contractor employees can often fall short of that expected from permanent plant employees. Regulators can monitor this situation by regular checks on contractor behaviour, analysis of reported occurrences of contractor performance, on-site inspection and review of contractor records. Trending and analysis of occurrences or problems may reveal contractor involvement and shortcomings, however, the regulator needs to be aware at an early stage of the utility’s intention to utilise contractors. Examination of the contract specifications and conditions prior to contract award may allow the regulator to determine the adequacy of safety, supervisory and training provisions and require appropriate amendments. One of the problems associated with contractor usage is the effect on regular employees who may feel threatened, insecure or resentful all of which may have adverse impacts on their safety performance. However, any changes to contractor policy or adverse performance attributable to contractor involvement needs to be identified by the regulator so that any remedial action can be taken swiftly. 255 6.2.5. Plant conditions and trending Plant conditions provide a useful and valuable insight into the general health of an organization’s safety culture. It has long been recognised that poor housekeeping standards are an indicator of behaviour and attitudes that are not likely to be conducive to the development of a sound safety culture. Other indications are lack of attention to alarms or repair of malfunctioning equipment; overdue maintenance work or poor information recording and archiving systems. These deficiencies are prevalent when there is inadequate managerial and supervisory attention to safety matters, and often reflect the absence of an effective selfassessment and self-inspection regime. Such deficiencies damage the credibility of any claimed organizational commitment to safety. Collecting data from occurrence reports in categories of human factors allows safety culture to be displayed in various formats for simple presentation. The attached examples show “ERROR” categories of “Omission” — where the worker did not carry out an action and caused an error, and “COMMISSION”, where the worker physically committed an action that caused the error. These proportions can indicate training, complacency and even attitude problems that if analyzed further by root cause analysis or questioning can pinpoint weaknesses in the system. Behaviour Type information is displayed in percentages to indicate the captured data by categories communication, cognitive, perception and motor. These headings are selfexplanatory and can also indicate areas for improvement if their trend is increasing. Further analyses by department, group and error groups will allow individuals and teams within the organization to focus on specific aspects that may require corrective action or perhaps a pat on the back for work well done! It should be noted that whatever the category or type of data selected it must be based on fact, be easy to collect and indicate areas of direct interest to the persons involved. This type of feedback is particularly useful in the promotion of safety culture principles and when drawn from a specific activity period such as an outage it can be used to illustrate how the workforce behaved and which problems need to be addressed in the future. 6.3. ILLUSTRATION THROUGH NATIONAL EXAMPLES 6.3.1. Risk-informed, performance-based regulation in the USA This Section discusses the new process in the USA for reactor oversight and assessment, emphasizing its procedural — rather than technical — aspects. More detailed technical material relating to the process is available through the NRC’s Website (www.nrc.gov). The new risk-informed/performance-based (RI/PB) process is a major departure from the way NRC conducted its reactor oversight process in the past. However, it should be emphasized, at the outset, that NRC is not abandoning regulatory tools that have proved their usefulness over time. Rather, the new system is an attempt to add some new dimensions to make the oversight process more efficient, economical and effective. In this regard, terminology is important. The Commission has specifically used the term “risk-informed” to make clear that the new system has not discarded “deterministic” techniques to become entirely “risk-based”. The new program does make broader use of probabilistic safety analysis as a powerful regulatory tool. But the PSA approach represents only one element in the regulatory arsenal. “Performance” is 256 another key element that NRC assesses through wide range of techniques, including inspections and industry self- reporting. Prior to adoption of the RI/PB system, the NRC’s approach was represented — correctly or incorrectly — as one of the most prescriptive of almost any other national nuclear regulatory body. By prescriptive, critics were referring to an emphasis on compliance with detailed rules, and enforcement through intensive agency inspections. NRC’s earlier system reflected the long history of nuclear regulation in the USA. It was implemented through a process called the systematic assessment of licensee performance (SALP). The SALP process involved public meetings between the NRC and licensees to review plants that had received good scores or bad scores in the inspection and assessment process. This resulted in considerable tension between operators and regulators, with increasing complaints about the costs and burdens of regulation. NRC decided to make some far-reaching changes in its oversight process for a variety of reasons. One factor was the maturing nature of the nuclear industry and nuclear technology. Since the Three Mile Island accident in 1979, the US industry had achieved substantial improvements in plant performance, including in safety-related areas. Many in the industry and Congress felt that the NRC had failed to give sufficient recognition to these improvements. They argued that the Commission’s continued intensive inspection effort was too intrusive and expensive for a highly competitive industry that had implemented effective safety programs on its own initiative. Also, in recent years NRC had developed improved regulatory tools. These tools included: substantially more sophisticated PSA (probabilistic safety analysis) techniques through advanced computer modelling; the evolution of safety codes and guides; new and improved inspection techniques; advances in non-destructive testing; and revolutionary developments in information technology and communications that enabled information to be acquired, processed and transmitted much faster and less intrusively. Political and economic factors also influenced the regulatory environment. For example, the restructuring and de-regulation of the electric utility industry in some parts of the USA created pressures to reduce regulatory costs. Utility share-holders, industry representatives, interest groups and the Congress all reflected the opinion that the NRC’s regulatory effort was not making the best use of resources in enhancing safety. Internal factors at the NRC also played a part, as the Commission faced budget reductions and staffing constraints. Along with a major reorganization along the lines of a business model, the Commission felt it needed to make some major changes to its oversight process. 6.3.1.1. Objectives of risk-informed, performance-based system What does the NRC seek to accomplish with its new system? The main objectives of the new system include: x Taking advantage of risk insights through PSA and computer modeling of reactor systems; x Rewarding good performance by reducing regulator attention in areas that do not warrant it; x Focusing attention on poor performers; x Focusing attention on areas where risks are potentially greatest; 257 x Reducing unnecessary regulatory burdens on nuclear operators; x Increasing predictability and consistency of regulatory oversight; x Making more efficient use of regulatory resources. The RI/PB approach has other advantages that are expected to make it an effective tool for enhancing safety. Because of its simplicity, visual character and organizational clarity it can help bridge the gap between nuclear technicians and persons interested in nuclear safety who lack a technical background. For example, the new system can help educate new utility executives and managers that lack experience in the nuclear business about safety-related issues. It should enable safety managers to communicate effectively to higher management about the status of plants and to focus their attention on issues needing attention and resources. The approach should also be an effective mechanism for informing the public about the overall situation at nuclear plants. As will be further discussed, the RI/PB system involves a colour-coding of various performance indicators deemed relevant for nuclear installations. This will enable anybody with computer access to the world-wide web to rapidly and directly view a simple, graphic assessment of a nuclear plant in their vicinity (or anywhere in the country). For plants showing positive assessments, this open access should contribute to public confidence by clearly demonstrating regulatory attention to safety matters. For those with less-satisfactory assessments, the new approach could generate public or share-holder pressure on a utility to resolve areas of high risk or poor performance. Structure of the risk-informed, performance-based system The overall structure of the new assessment program covers three strategic performance areas: reactor safety, radiation safety and safeguards. Under these three strategic areas, are seven fundamental elements designated as cornerstones. In architecture, a cornerstone is a foundation stone that supports the rest of an edifice. The Oxford dictionary also defines it as an indispensable part, or basis. The seven cornerstones consist of the following: I. II. III. IV. V. VI. VII. Initiating events. Mitigating systems. Integrity of barriers to the release of radioactivity. Emergency preparedness. Occupational radiation safety. Public radiation safety. Physical protection. Under these seven corner stones sixteen performance indicators have been identified. These are the detailed areas in which NRC will conduct a plant assessment, using riskinformed techniques as well as the deterministic approaches that have always characterized the regulatory process. (See Table XVII). 258 6.3.1.3. Colour-coded assessment indicators The NRC has also identified three so-called “cross-cutting” elements that apply to all of the corner stones and performance indicators, and will be assessed for all other elements. These are: x Human performance. x Management attention to safety and workers’ ability to raise safety issues. x Finding and fixing problems. Having defined these cornerstones, performance indicators and cross-cutting elements, it is important to understand how the NRC uses them in the concrete process of reactor oversight. The NRC wanted a clear and simple way to indicate levels of performance. That could have been done through a numerical system or an academic-style letter grading system (A = excellent; F = failure). However, the NRC decided to utilize an approach that resembles a motor vehicle traffic control system. This approach uses colour-coded designations to give visual clarity to its assessments. Colour-coding allows the NRC to graphically present the status of plant performance on a single sheet of paper, providing a dramatic and — for the public — a very understandable indication of safety performance. TABLE XVII. ELEMENTS OF NRC’s NEW OVERSIGHT PROCESS Cornerstone I — Initiating events 1. Unplanned reactor shut downs both automatic and manual. 2. Lost of normal reactor cooling system following an unplanned shut down. 3. Unplanned events that result in significant changes in reactor power. Cornerstone II — Mitigating systems 4. Safety system not available--specific emergency core cooling system and emergency electric power systems. 5. Safety systems failures. Cornerstone III — Integrity barriers to the release of radioactivity: 6. Fuel cladding (measured by radioactivity in reactor cooling system). 7. Reactor coolant leak rate. Cornerstone IV — Emergency preparedness 8. Emergency response organization drill performance. 9. Readiness of emergency response organization. 10. Availability of notification system for area residents. Cornerstone V — Occupational radiation safety 11. Compliance with regulations controlling access to radiation areas in plant. 12. Uncontrolled radiation exposure to workers greater than 10 per cent of regulatory limit Cornerstone VI — Public radiation safety 13. Effluent releases requiring reporting under NRC regulations and license conditions. Cornerstone VII — Physical protection 14. Security system equipment availability. 15. Personnel screening program performance. 16. Employee fitness-for-duty programme effectiveness. 259 How are the colour-coded assessments to be interpreted? Green means that all of the seven cornerstone objectives have been met and that there is no significant deviation from expected performance. White indicates that there are certain areas in the cornerstone that are outside the bounds of expected performance on specific performance indicators. Overall cornerstone objectives continue to be met and, most importantly, deficiencies identified have a very small effect on accident risk. Yellow indicates that the cornerstone’s objectives are met, with minimal reduction in the safety margin. However, performance changes can have a small effect on reactor accident risk. Red is the lowest of the level, and indicates that plant performance is significantly outside the design basis. Significant reductions in safety margins have occurred and continued operation may be unable to provide assurance to the public health and safety. 6.3.1.4. NRC response plan under the new assessment system Based upon the assessment of cornerstones and performance indicators, the NRC has adopted a response plan indicating what regulatory action will be taken. The response plan is based on five levels. Level I — cornerstone objectives fully met For a plant where all cornerstones are met and all of the inspections findings are green, NRC will conduct only routine inspection activity, with NRC staff interaction with the utility. The commission’s baseline inspection programme applicable to all licensed reactors will be conducted, with an annual assessment at the public meeting, typically conducted in the area of the plant. Level II — cornerstone objectives fully met (no more than two white inputs in different cornerstones) This level shows somewhat deteriorated performance, but the objectives under all seven cornerstones continue to be met. This level indicates acceptable performance, but with some regulatory issues needing attention. The NRC response takes place at the regional level, involving a public meeting with utility management. The utility is expected to take corrective action to address the white areas in its performance assessment. NRC inspectors follow-up to ensure that the corrective action has been taken. Level III — degraded cornerstone (two white inputs or one yellow or three white in any cornerstone) This level of assessment begins to be serious because one of the key cornerstones has been degraded. The NRC response remains at the regional level, but in this case the Commission’s senior regional management holds a public meeting with utility management. The utility is also required to conduct a self-assessment with NRC participation. Additional NRC inspections are focused on the causes of degraded performance. 260 Level IV — repeated or multiple degraded cornerstones (multiple yellow or red inputs) This level signals serious safety-related issues at a plant. The NRC response is at the agency, rather than regional, level. The Commission’s Executive Director for operations holds a public meeting with senior utility management. The utility is required to develop a performance improvement plan, with active NRC oversight. An NRC team inspection that is set out to the facility covering all the areas of concern that focuses on the causes of degraded performance. The commission may also take enforcement action by transmitting a demand for information, by issuing a confirmatory action letter (formally recognizing steps taken by a licensee), or by issuing an order directing the utility to take certain action. Level V — unacceptable performance (overall red inputs with unacceptable reduction in safety margin) Under this level, NRC takes serious enforcement action at the agency level. The plant is not permitted to operate and the Commission, itself, meets with the senior utility management at agency headquarters in Washington. The Commission may issue an order to modify or to suspend or revoke the utility’s operating license. 6.3.1.5. Implementation of the new assessment system NRC began to develop the proposal for its new oversight process in 1999, with a pilot project. The system was applied to 9 plants in the USA in a preliminary way. After six months, this pilot programme was evaluated on the basis of comments from major stakeholders, including licensees, interest groups and the commission’s own staff. In April 2000, NRC put the system into the preliminary effect for the entire USA nuclear industry. In March 2001, the continued application of the system was confirmed by the Commission. Implementing the system has required the NRC staff to integrate risk analysis techniques with traditional deterministic approaches in a more extensive manner. Risk analysis has been used to identify the sixteen performance indicators utilized in the new system. Both risk analysis and traditional inspections are utilized to determine the level of performance under each indicator. Assessment of each of the broad cornerstones typically involves a mixture of technical, management and resource issues. The primary risk analysis will be performed by the operator using either his own organization or technical assistance organization. However, the NRC has a large staff that is capable of reviewing licensee risk assessments in detail, based upon information provided by licensees, as well as independent information available to the commission through its own research programme, or otherwise. After completion of the analysis, the NRC is in a position to assign the colour-coded assessment of performance to each cornerstone. The new oversight process is an evolving approach. During the period of its early implementation, the reaction from stakeholders has been positive. It is expected that the programme will be adjusted on the basis of experience with applying the cornerstones and performance indicators. Whether the system is continued in its present form or is significantly modified will be determined on the basis of how well it continues to meet the objectives of regulatory efficiency, effectiveness and economy that were the basis of its creation. 261 6.3.2. German safety culture experiences The German nuclear industry has a broad experience in safety culture. Safety culture is the collective commitment of an organization to high safety standards. In the following, some features of safety culture are described and discussed. Safety is the pivot in the public debate on nuclear energy. It is a prerequisite for its future, as it was the centre of our endeavours for development in the past, from the very beginning of nuclear electricity production. Looking back, three different approaches to enhance safety are distinguished: x From the start and in the phase of the commercial breakthrough of nuclear power plants, the focus has been on technical solutions. The answer to any problem was better and more sophisticated technique. Pursuing this strategy, we developed very reliable, but complex machines. With increasing success, reliability and safety tended to approach a plateau, all further improvements were more and more counterbalanced by added complexity. x Then, human performance problems became the focus of attention. This brought about significant improvements of the man-machine-interface, leading to a substantial lower probability of a human being to err when performing his job in a NPP. But again, we gradually seem to approach a limit that cannot be exceeded when following this strategy: Increasingly more of the fixes of problems we establish, either simply do not hold for a long time, or they just create another problem somewhere else. x For further real improvements, we have to go beyond technical design and beyond the performance of individuals and their interactions with components and technical systems. We have to include into our reflections and endeavours also interactions between individuals, collective social and organizational processes, and managerial policies and practices. Psychologists speak e.g. of “supra-individual and self-regulating structures“ and of “behaviour settings“, in the nuclear industry, we created the term “safety culture”. Safety culture is an integral part of the quality assurance programme. As safety itself, safety culture is the irrevocable responsibility of an organization, which is operating a NPP (self-regulation, no dilution of responsibilities). Within the organization, it is the management that takes the overall responsibility for a high safety culture. It shapes the environment in which people work, and thus influences their behaviour and attitudes to safety. Safety culture comprises all the organization’s arrangements for safety. 6.3.2.1. Objectives of safety culture The IAEA has defined safety culture as follows: “Safety culture is that assembly of characteristics and attitudes in organizations and individuals which establishes that, as an overriding priority, nuclear plant safety issues receive the attention warranted by their significance”. A shorter definition comes from the confederation of British industry: “Safety culture is the way we look at things and the way we do things around here”. 262 An important factor of safety culture is that it is more than the sum of its parts, it is a collective commitment to safety. Therefore, to gain a high safety culture, one must not focus on1y on individua1s, but rather on the organization as a whole. The general objective, to enhance safety culture, is too abstract to be operable. It can be subdivided in 4 sub-objectives, which are more tangible: High safety standard To develop the safety standards of nuclear power plants as high as possible needs no justification in this lecture. But it is important to make clear that high standards of safety have to be achieved by both, the organization and individuals. No conflict between safety, production, and costs Safety should not be jeopardized in the pursuit of production targets. On a long-term basis, only a safely operated plant can meet competitive goals. The top-management of a NPP has to bear this in mind and to sharpen the awareness of sub-managers and staff for this strategic view, and to ensure that the pressure of short-term optimisation does not override this long-term recognition. On the other hand, to be fair, an absolute priority of safety over costs can never be reached, and on an ethical basis, it even would not be acceptable. As everything else, safety is subject to the law of declining marginal utility. The higher the safety, the more money has to be spent to gain only a small increase in safety. Above a certain limit, it is not justified to use this money for that small advantage, when it could bring much higher benefits if used to reduce other risks or even real harm. But this triviality must not be abused to refuse a very high ranking of safety and to reject any reasonable improvement in safety matters. Fortunately, this problem is reduced by the simple fact that most measures to increase safety simultaneously also increase reliability and very often reduce operating costs, for example improved planning and work control, clearer accountabilities, reduced organizational interfaces, better communication and team work, and so on. Improving safety culture, properly done, is largely identical with a more effective management of works. Reasonably looked at, conflicting goals between safety enhancement and cost reductions are rather rare events, and they can be decided upon in a rational manner, giving safety the attention needed. Good communication between, and co-operation of all units and levels For complex tasks, which require teamwork, communication is one of the key factors for effective and successful performance. Good communication brings about three essential advantages: x It is a good defence against misunderstandings; x It helps to override hierarchical and departmental barriers; and x It contributes to satisfactory working conditions, which on their side improve the motivation of workers on all levels. 263 More effective conduct of work Effective conduct of work is a prerequisite for competitiveness and for safety, and simultaneously, it creates satisfaction with one‘s work, which again is the basis for motivation. 6.3.2.2. Features of safety culture A high safety culture ensures good safety performance through the planning, control, supervision, and performance of all safety related activities. To fulfil this, the management of a NPP should make an ongoing effort in the following 5 fields: Definition of safety requirements An organization should express its commitment to high safety performance in a clear and unmistakable way, for example in a vision or mission statement defining safety requirements. In addition, it should specify the responsibilities and activities required to ensure safety and to satisfy legal, regulatory and company requirements, and it should provide the resources (sufficient and competent staff, tools and equipment} necessary to achieve all that. In a consistent framework, the management should define what needs to be done, to what standard and by whom. Senior managers should develop ownership and active support of the organization‘s safety policy, and they should eagerly disseminate it throughout the whole organization. All managers should understand their roles and responsibilities, and should ensure that all individuals concerned are aware of and accept their safety responsibilities and have the capability and the appropriate resources to discharge these responsibilities effectively. Ensuring high safety standards in planning and control The management of a NPP has to ensure that all safety related activities are properly planned and controlled, including identification of risks to health and safety, selection of procedures and precautions, and — if appropriate — arrangements to cater for emergencies. It also has to determine work authorisation requirements on a systematically basis. Ensuring high safety standards in work performance To attain high safety standards in work performance, the management of a NPP has — amongst others — to ensure that all staff have the competence required, and it has to provide for effective communication and team support. The latter should help to understand and accept safety arrangements, reduce error probability, improve feedback mechanisms, and enhance satisfaction at work and thereby motivation for good performance. Additionally, the management has to support good safety practices and to correct poor practices. Presence of managers at the work place, appropriate awards and sanctions, and encouraging the reporting of failures and “near misses” can help to obtain that goal. Encouraging safety related attitudes and behaviour Questioning attitude, rigorous and prudent approach, and good communication are the characteristic features of a good safety culture. It is the task of the management to improve all 264 three of them, in order to obtain an ever-higher safety culture. The shaping of attitudes and behaviour is a much more demanding task than the — equally necessary — task of improving competence and skills of individuals. It is the real core of “improving safety culture”, and, in spite of all doubts, it can be met successfully. We do perform this task in NPPs all over the world, and we do have some success in our endeavours. But it is my personal impression that, in a large number of cases, the success could be increased by applying a more systematic approach, or with some outside assistance, for example by IAEA or WANO. Improving feedback on safety performance To facilitate an effective feedback system, safety performance must be measured routinely. The measures should have the capability to highlight whether the safety performance of the organization is being maintained or improved, and they should also allow the underlying causes of any performance deficiency to be identified. This is essential, if appropriate counter-measures are to be identified. Measuring the safety performance is both, easy and delicate simultaneously. After measures have been defined, audits and reviews should be performed on a regular basis. They should cover all safety-related areas and should be carried out either internally or through independent institutions on a peer basis. IAEA, WANO and INPO offer corresponding services. In response to findings in audits and reviews, appropriate corrective actions have to be identified and implemented. The management has to ensure that this is done systematically and that it includes an assessment of the effectiveness of the corrective actions after their implementation. 6.3.2.3. Specific safety culture issues Flexibility The description of safety culture given above is neither complete nor generally applicable. In any case, due allowance should be given for adjustments to different cultures in different countries and in different companies. It is the overall effectiveness that counts, not the specific composition. Effectiveness The management of a NPP sets the framework for all endeavours to enhance safety culture. But it should be clearly pointed out that even the most perfect framework can never substitute the commitment of the individuals concerned. A more perfect framework is a help to reach the goal with a higher degree of probability, but it can never be a warranty. To enhance safety culture, the right individual attitude of the senior managers is indispensable. If the senior managers do not feel it necessary to improve the safety culture, no framework and no system, however perfect, can be successful. Another problem with perfect systems holds even for willing people: Whenever a system is very perfect, people tend to perceive this system as a means that automatically achieves the goal, without the need for strenuous individual effort; the system solves the problem, not individual strain and engagement. This subjectively felt sense of relief from individual challenge and responsibility is a common phenomenon in case of perfect systems 265 and also holds for safety culture. A good system is essential, a perfect system can create new problems. Finally, to reach a high effectiveness level, all employees, managers and staff, have to accept the goal of high safety performance and to understand the processes and procedures the organization has chosen to pursue that goal. They have to do what is right, because they know what is right, not because it is required. Sustainability Humans tend to choose the easiest way, to forget things, to stop thinking, and to transfer carefully considered procedures into automatically followed routines. Therefore, safety culture is an inherently declining feature. If we do not continually strive to enhance it, it gradually degrades. We constantly have to move forwards, ever standing still means stepping backwards. The management of a NPP has to establish an ongoing learning process as part of the safety culture, otherwise an established standard cannot be maintained. Performance indicators Monitoring the safety performance is a management responsibility. The use of quantitative performance indicators has a lot of advantages (e.g. enabling trending, goal setting and benchmarking with other plants), but care should be taken not to give them too high a value in order to avoid misleading effects: x For example, if reaching a low number of unplanned automatic scrams is valued very highly, pressure could rise to adjust the set points for triggering the scram appropriately. x Or, with regard to the collective dose, people could find themselves seduced to reduce equipment tests, or they could welcome a reason for not performing inspections of the workplace and work practices, and so on (this problem is independent of the more general dispute on the appropriateness of this indicator due to substantial doubts regarding the validity of the linear-no-threshold hypothesis, which is the base of the collective dose). x As a last example, the number of significant events as a performance indicator could increase tendencies to cover up or to play down the importance of the event. Very probably, every indicator can exert negative influences, if it is valued too high. So, performance indicators are useful and probably even necessary, but they should be used with care and the management should clearly explain their limited importance. Self-assessment As already stated, safety culture tends to degrade with time. This problem is amplified by the very nature of humans, which impedes early recognition of declining performance. First signs and precursors are often denied or just regarded as isolated cases. This defence mechanism is principally stronger when the information about negative signals comes from outside institutions. The other way around, it is generally easier to accept unpleasant news, if they are detected by one‘s self. Therefore, it is preferable for an organization to have an internal or self-evaluation programme. This self-assessment generally can identify signs of degradation earlier than an external audit or review. If detection is left to the latter (or even to actually occurring events), the required corrective actions are often far more extensive and 266 expensive to implement. Of course, the critical self-assessment has to be complemented by clearly prioritized action plans, which address the root causes and which are pursued rigorously. The self-assessment reinforces the responsibility of the operator. But, to avoid complacency and professional blinkers, the self-evaluation programme should be supported by periodic external peer reviews. The frequency of these external reviews can be much less than that of the internal assessments, but from time to time an external check seems to be a sound corrective. Indivisibility Safety is indivisible. Low standards in industrial safety or in housekeeping, a large backlog in maintenance work, a poor archiving system, and all similar conditions, give clear evidence of threats to nuclear safety. Top is top, but only the number makes it work The strong commitment of senior management is a prerequisite to establish and maintain a high safety culture. But the strongest commitment from senior managers cannot compensate for lack of support from the whole staff. Only if all employees (or at least most to them) take ownership of a programme to enhance safety performance continually, a really high standard can be reached. Senior managers can work as hard as they like, without support of their staff they will never reach a high level of performance. The quality of individuals is important, but the quantity of support decides the level which can be reached. The management has to find the means to get real support from all employees. Safety is the sum of 1001 nothings There is no single big strike by which one can reach a high level of safety performance. Rather, it is always a long and strenuous way with thousands of small steps, most of them seem to be only of secondary importance, but they all contribute to the great goal, and none of them can be left out without endangering the goal. It is the task of the management to make sure that all small steps are taken seriously and are implemented properly. Group behaviour Group work is essential, but care has to be taken of special group effects. For example, groups bring about a diffusion of responsibilities, and they tend to develop common opinions. This undermines questioning attitudes and, together with the encouraging feeling of shared judgement, it actually leads to a higher risk taking. The management of a NPP should be aware of these psychological effects. Their principles and appropriate countermeasures should be integrated into training programmes, and, very important, responsibilities should strictly be assigned to individuals, not to groups. A very effective measure to reduce negative group effects is that the leader speaks last. This brings about at least 4 essential advantages: 1. Group members are encouraged to tell their true and independent opinion, and not just repeat what the leader has said; 267 2. This increases the motivation and creativity of the group members, and it reduces the danger of self-consolidating opinions by frequent repetitions; 3. It enables the leader a better assessment of the quality of his subordinates; 4. And finally, it gives the leader the chance to recheck his beforehand built opinion before speaking it out loudly, thus reducing the probability of looking like a fool. Error management How an organization deals with errors has a key influence on how well it can obtain a high safety culture. Three features are essential, and the management of a NPP has to ensure that they are established firmly in the organization: x First, errors should be regarded as a chance for learning, instead as a reason for punishing. Errors should be pulled out of the taboo corner and discussed openly. The better the communication on errors, the higher the safety performance (and the commercial performance!) of an organization. Never ask who made an error?, but always why did this error occur? But be careful to keep the balance: Even when people should not be punished for errors, they still must be held responsible for the errors they make or might make; x Second, the goal of preventing errors should be complemented by the goal of managing errors that is handling the consequences of an error effectively. Since errors can never be avoided completely, we have to learn to cope with them; x And finally, we should keep in mind that any individual error is necessarily embedded in organizational processes, the subject the management has to take care of. It are these processes, which determine largely the probability of errors. Wrap things up Errors, weaknesses and areas for improvement are often known for substantial times, but countermeasures taken — if any — just alleviate the problem enough to carry on operation and do not really address the root causes, or they are simply not followed rigorously until the problem is really solved. Recurring events, continued improvising, and unacceptable high numbers of unresolved problems with overall reduced safety margins are the consequences. The management of a NPP has to establish and reinforce procedures that ensure timely, complete and sustainable solutions to all problems arising. Training Training has to be viewed as an investment, not a cost. The management of a NPP has to make sure that training needs are identified for each job profile and each individual, and that training is performed at high quality. A good means is to use staff members as trainers, because teaching/mentoring/coaching is the best learning, but that must not compromise the quality of the training sessions. The training should include learning from failures and learning from successes and from good practices. Success is a strong basis for motivation, and failures seem to be necessary to recognise the right direction. 6.3.2.4. Closing remark The key factor for achieving high safety performance is the same as that for achieving success in competition: Good leadership. 268 6.3.3. Interface of regulator and operator — Finnish experience In Finland, the decision of the council of state on the general regulations for the safety of nuclear power plants says in its Section 4: “When designing, constructing and operating a nuclear power plant an advanced safety culture shall be maintained which is based on the safety oriented attitude of the topmost management of the organization in question and on motivation of the personnel responsible for work”. This pre-supposes well organized working conditions and an open working atmosphere as well as the encouragement of alertness and initiative in order to detect and eliminate factors which endanger safety. 6.3.3.1. Cornerstones of nuclear safety culture In the following a few selected principles are discussed that have been emphasised in Finland as essential cornerstones of nuclear safety culture. These principles relate to the expectations with respect to the government, the regulatory organization, and the users of nuclear energy (utilities). Government When a government makes a decision to use nuclear energy for power production, it should recognise the consequent long-term commitments. Nuclear safety culture cannot be established in an atmosphere of uncertainty, and therefore the government has to ensure predictable and smooth evolution of the national nuclear energy programme. This involves: x Specific legislation for use of nuclear energy; x Education of the public on the benefits and the risks of nuclear energy; x Commitments concerning safe nuclear waste disposal and liability for nuclear accidents; and x Continuous provision of adequate means for basic nuclear training, safety research, regulation, and international co-operation. The organizational framework for nuclear energy use and regulation has to be provided in the nuclear energy legislation. For this purpose the legislation has to define: x Duties, responsibilities, and rights of various players in the nuclear field; x Procedures for licensing nuclear facilities with adequate participation of the general public; x Means of regulatory control: rule making, safety evaluations, and inspections. Education of the public is necessary for removal of unfounded fear towards any nuclear facilities which serve the national energy programme. Also, objective information on benefits and risks is needed to permit all citizens to judge whether the use of nuclear energy is in line with the overall good of society. Furthermore, education would facilitate proper response of the public to a potential nuclear accident. The duty of producing educational material should be assigned by the Government to a proper public organization. Commitment to safe disposal of nuclear waste is inevitable at the national level even though the users have a responsibility for the practical disposal measures. The government has to provide regulatory requirements and the means to verify their fulfilment, in order to assure 269 itself that the disposal methods to be adopted are acceptable. The verification has to be supported by a research programme which is independent from the research done by the users of nuclear energy. Liability for nuclear accidents cannot rely on individual companies alone because any company has a de facto upper limit for its economic resources. On the other hand, no person should be left without a fair compensation for his losses, should a major nuclear accident take place. Therefore it is necessary for the government to commit itself to bear the liabilities not covered by other means. A certain amount of public funding and infrastructure is needed for any national nuclear energy programme. It may be well founded to collect some part of the funds from the users of nuclear energy, but the main thing is that the government decides what is the proper amount. As concerns basic nuclear training, it should ensure a steady flow of graduated students into the nuclear field. As long as nuclear energy is being used in a country, a most important thing is a wide age distribution of engineers with nuclear knowledge. A national research programme must be so broad that it covers all aspects relevant for nuclear safety. It has to be noted that a research programme with an adequate depth employs a number of experts dedicated to highly specialized fields, and their employment must be ensured with funding which does not change sharply from year to year. The regulatory organization requires a minimum size as well, to be able to cover all technical disciplines relevant for nuclear safety. Funding of that organization should stay stable unless there are major changes in the extent of the nuclear programme. This stable amount of funds can with a good reason be collected from the users, and thus be included as an essential element into the costs of nuclear energy. International co-operation is needed to gain access to the state-of-the-art knowledge, which is an essential condition for maintaining a high safety level. The provisions include international agreements and other arrangements for co-operation, and funding of the regular contacts. Regulatory organization The regulatory organizations are frequently seen as “watch dogs” who control their “customers” on behalf of the general public. This is certainly one of their roles, but to see the regulatory organization from such a perspective only may not be best for the development of safety culture. In the work of STUK-Radiation and Nuclear Safety Authority, it is strongly emphasized that the users of nuclear energy bear full responsibility for safety, and therefore true respect should be given to their views and proposals. An important duty of the regulators is to support and foster good safety performance of the users. 270 A regulatory organization promoting good safety culture must develop and maintain: x Logical and predictable behaviour; x Frank and balanced relationship with the users of nuclear energy; and x Knowledge on the state-of-the-art in the nuclear safety field. Logical and predictable behaviour means a number of things. The regulatory staff members must approach the technical issues in a consistent manner, and observe any previously declared decisions by the regulatory body. The formal communications with the users must be based on clearly defined and standardized procedures. This is not to underestimate the importance of the fast informal contacts between the organizations, but a formally recorded conclusion is needed whenever a position is taken on a regulatory issue. The requirements and acceptance criteria should be known to the users before they start planning respective issues. Any requirements set by the regulatory organization must be supported with sound technical arguments, unless a fully applicable rule exists for taking a regulatory position on the issue in question. Upgrading of requirements should be limited to situations where new information has raised previously unknown concerns on the issue, or new safety objectives have been adopted as a top level regulatory decision. The first pre-requisite for a frank and balanced relationship with the users is that the regulatory staff are able to discuss issues at the same technical level as the user representatives. If there are different opinions between the regulatory and the user experts, the regulators must be able to support their case on sound technical evidence. In a dispute, the individual regulators must also provide without hesitation a possibility to submit their position for consideration by their own supervisors. When corrective measures are required, the regulators must provide realistic time scales without undue pressure to the users. Exceptions are issues which cause a significant increase of the previously estimated risk. Availability of the regulatory staff, for making mandatory inspections whenever needed by the users, is necessary for maintaining good working relationship with the users, and for motivating top performance in them. The regulatory organizations are natural focal points for building contacts with the foreign organizations worldwide. Therefore they must possess expertise to collect and transfer knowledge on the state-of-the-art in the nuclear field. As soon as new relevant information is available to the regulatory body, it must distribute it also to the users. Information should be transferred on: x Domestic and foreign safety research; x Domestic and foreign operating experience; and x New safety regulations home and abroad. Users of nuclear energy All arrangements and measures by the users should reflect the fact that they bear the ultimate responsibility for safety. 271 Striving for excellence, rather than the fulfilment of written rules, should be selfevident in any user organization. The users following this line set their own performance standards for activities they find most important to ensure their own reliable and safe operations. Striving for excellence also means that the user has a steady investment programme. Such a programme is needed to keep the material condition of the facility at least at the same level it used to be after first start-up, and to improve reliability and safety. Another important target for investments is training of the personnel. An important part of the strive for excellence is detection and removal of safety problems. This can only be done in an open atmosphere where all technical problems and human errors can be reported without a fear of negative consequences to individuals or the user organization in general. As concerns the user staff, an issue requiring continuous attention is how to maintain the spirit of private initiative and feel of personal responsibility beyond the statutory tasks of each individual. An observation from the Finnish users is that all arrangements feeding professional pride among the individual workers are important contributors in addressing this issue. Implementation of safety culture is not an action that could be started only by writing some new instructions. Its roots are in the national culture and in the values of each organization, and the evidence of it should be more or less visible in all daily activities of the plant and its supporting organizations. In the following, a few concrete examples are mentioned which clearly manifest safety cultural elements at the Finnish NPPs. Atmosphere in all organizations is essentially created by the attitudes and practical example provided by the top management. This fact is recognised by the management of both Finnish nuclear utilities, and it is manifested through their direct involvement and keen interest in matters concerning safety as well as quality assurance. Finnish utilities have implemented a number of projects to maintain and improve the knowledge and skills of their organization and individuals. These projects include modernisation of the plants, continuous development of operating and maintenance practices and tools, and PSA studies. In all of these projects the responsibility for key tasks has been assigned to their own staff, as opposed to giving it to external consultants. Modernization of the plant systems and replacement of components are carried out observing the original design requirements, but also taking into account the upgraded new safety criteria. Updating of plant specific documentation is an essential element of modernisation work. Such projects keep the plant and the supporting organization staff familiar with all relevant design requirements, and develop their professional skills and general motivation. In parallel, knowledge on the current design basis is maintained. Continuous and well-tailored re-training programmes for all personnel levels maintain staff motivation, and also help to promote new ideas. The ability to use an up-to-date full scope-training simulator at each plant is of great value. Safety culture has for several years been a topic in induction training of new employees, in staff re-training, and in training given to contractor personnel who work on site during outages. The importance of knowing, understanding and following valid procedures is regularly emphasised in the training activities and in other general communication. 272 The continuous assessment, development and updating of quality assurance manuals and procedures is important in preserving the credibility of the QA-system. This system also defines the organizational line responsibilities. Plant management calls together QA and safety meetings and internal as well as independent audits of the QA-system performance are carried out periodically. A well functioning QA-system is one of the basic cornerstones in fostering safety culture in Finnish NPPs. The utilities have established systematic methods to utilise operating experience from their own plants as well as from other relevant sources through participation in proper international organizations. In WWER-type plants, direct contacts with other similar plants have been of special importance. Well-planned and systematically organized maintenance is an essential element in preserving the safety of the NPPs. This includes careful outage planning and a critical assessment of components and phenomena that are life limiting. General order and cleanliness have been important issues from the start of operation in all Finnish plants. In recent years, success in this respect has been regularly assessed by each plant management team. A performance index has been developed for this purpose, and good results give a financial bonus to the employees. Several measures are taken to promote the general positive atmosphere and motivation of the personnel. Separate polls have been carried to show areas where development in the organization’s or individual’s conduct is needed. Possible problem areas have also been discussed in general meetings. The exchange of general information and especially communication of planned plant activities within the organization is important in maintaining a high motivation level among the personnel and to give them an opportunity to make a positive contribution to developing the processes. Direct contacts between the technical personnel of the utilities and STUK are frequent, and the importance of frank relations is emphasised by the management and well understood by the personnel of both utilities. 6.3.3.2. Promoting safety culture When promoting safety culture the concept of organizational culture should be considered carefully. Organizational culture is based on the values of the organization and on the practices based on these values. It is the responsibility of the management to see that the organization has the right values. Especially in the safety critical organization, safety is the most important value. In good organizational culture and in good safety culture, openness, thrust and two-way communication are extremely important both inside and between organizations. Poor communication has been an important contributor in many nuclear and conventional accidents, and that is why the importance of communication should emphasized. Management of safety and safety culture are based on the commitment of personnel at all levels. The safety management system comprises the arrangements in order to promote a strong safety culture and to achieve good safety performance. The safety management system is generally considered to be an integral part of the organization’s quality management system. 273 Actually, these two are closely linked in an organization. The quality management system is a system that describes all the activities and functions of an organization including those activities that are related with the safety of the plant. The regulatory body can effectively promote the safety management system of the operator by promoting critical self-assessment and respective corrections within the operator. The regulator avoids acting in a manner that diminishes the responsibility for safety of the regulated organizations. This means that at first, the utility and operator are given a chance to correct the situation on their own; but if the operator does not correct the situation then the regulatory body has to act. Secondly, the regulatory body cannot give the solution to the operator. It is the role of the regulator to make questions. If the regulator has observed something, then the regulator should ask the operator “why did you not observe this by yourself?” and “how will you improve your surveillance practices, so that you will observe similar situation in the future?” And further, “what actions you will take to avoid a similar incidents or similar failures in the future?” It is the role of the operator to take corrective actions and be given a chance to respond. Then it is again the role of the regulator to review these actions to see whether they are sufficient and only after that to ask for some additional actions, if needed. Systematic and standardized methods of communications are needed with the operator and it is good if these standardized methods are described in the quality system. For example, protocols of the meetings with the operators are needed. Regulators should not make any decision on telephone or during conversations with the representatives of the operators. Usually, it is also a good practice that representatives from the same levels of the regulatory body and utility organizations participate in meetings. STUK has the habit never to take decisions in meetings. Discussions take place over different alternatives, time schedules, etc. but the decisions are made always later because of strict rules about who is responsible to make a certain decision. It is also good if the regulator is service minded as concerns work schedules and the availability of the regulatory staff. This is especially important during the plant shut downs when modifications are made at the plant — the inspector should be available at the time needed. Especially important is the public commitment of utility management to safety. The managers present a good example. The organizational culture can be best affected through an example: what leaders or managers pay attention to what they measure and control that is important. So, it is the example of the managers that is the most important in the developing of organizational culture or safety culture. The licensee and specifically the management of the organization has the full responsibility for the safety of his plant. The responsibility of the regulatory body is to define the safety requirements and to verify by means of inspections that the requirements are fulfilled. This is the role of the regulatory body. The regulatory body promotes an atmosphere of confidence and respect with the operating organization. If particular problems occur during operation the regulatory body requests a solution to be proposed by the operating organization. The regulator reviews the solution presented by the operator. When studying the no blame culture, the important word is intentional. If the violation is intentional then the regulator should give a penalty. For example, if a mistake is made by a maintenance person, normally, it is not intentional. When analysing the mistake one often find a root cause showing that it is not directly related to the person making the mistake but it 274 might be a poor instruction or lack of training. One should be very careful when giving penalties to individuals who are at the lower levels of the organization and have little responsibility. Regulatory inspection of safety culture The regulatory body can evaluate the operator’s safety culture. For the regulatory body the most natural means are finding tangible evidence and weaknesses of safety culture. A good approach is to search real events where decisions were taken under difficult circumstances; these cases are assessed and conclusions are made. The Finnish regulatory body is continuously trying to assess the safety culture of the utilities by making qualitative assessments and trying to gather information on decisions of the utility for trying to recognize early signs of deteriorating performance. Another possibility is the assessment of incidents: what kind of decisions were made during and after the incidents from the safety culture point of view. There are early indicators, which characterize the safety culture of operators. At first, some declining safety performance might be observed and if attention is not paid it could lead to safety problems. Actions should be taken as early as possible and therefore, the early signs of weakening safety culture are important. Often these early signs are minor and one cannot take any regulatory action. The regulator can discuss with the utility about the early signs. Resident inspectors have a good possibility to detect early signs of the safety culture because they are all the time at the plant. During team inspections, one can collect data on decisions affecting safety. In Finland, periodic safety review also includes a review of safety culture of the operator and the operator is expected to perform self-assessment of safety culture. Special surveillance programme is needed to collect the early signs of weaknesses in safety. What kind of signs is to be looked for? A list of signs of declining performance in management is taken as an example, because the management is the most important part of the organization for the development of safety culture. The management should be an example to the rest of the organization. That is why it is extremely important to notice the signs of weakening safety culture in the management activities. Some examples are: lack of pro-active approach to safety issues (the management only react to problems when they should try to prevent problems); lack of management awareness and involvement in plant activities (if the management is only doing some administrative work and never go to the plant that is a sign of weakening safety culture); incomplete information reaching the top managers (how can they make the right decisions if they do not have all the necessary information); management may be unwilling to face difficult problems and correct them; STUK has also a safety indicator “capital investment in upgrading the plant” which is followed from year to year. Another sign is the long delays or failure to meet regulatory commitments. Signs of weakening safety culture can also be found in the activities of other parts of the utility organization. Sections 6.2.2 to 6.2.5 provide a list of issues for assessing declining safety culture. A list of early signs of deteriorating performance in the operational activities of the plant contains, for example, operator errors due to inattention to details, alignment errors in electrical and mechanical systems; operator errors due to inadequate training and so on. To be able to reveal this type of signs the plant failure data and trends of performance should be studied very carefully. If the number of errors is increasing, it is a sign of poor performance and weakening safety culture. Specifically, recurring errors should be looked at. 275 What strategy the regulator should use in the response to the findings? It depends very much on the situation and it is difficult to present any universal guidelines. If only a few early signs are observed, then the regulator monitors the situations and documents the inspection findings in the inspection protocols. If the signs persist and new signs appear then the plant is placed under special surveillance, and the regulator meets with the plant management, describes the observations and asks for the response. At this stage, the signs may still be rather weak and perhaps it is not possible for the regulatory body to present clear regulatory requirements. If the utility does not take any corrective action, the signs of declining performance can become clearly visible; then the regulatory body should have a meeting with the highest level of the utility management and also present an official requirement, official letter to the utility. If that does not help, if the utility does not take any corrective actions and the situation gets worse and performance continuously declines then there is a need for an enforcement action. The enforcement action depends on the severity of the situation and also on the legislation, national culture, and the practices that the regulatory body has adopted in the similar situations. 6.3.3.3. The use of risk insights in the Finnish regulatory body In Finland, STUK applies risk insights in decision-making. The approach is used most often in the analysis of plant modifications and operational events, in the analysis of Technical Specifications and in the analysis of inspection and testing. STUK has been active in promoting the use of PSA both at the regulatory body and at the Finnish utilities, and STUK has set forth requirements in the regulatory guides. There is a regulatory guide YVL 2.8 especially for PSA applications. In official letters to the licensees, STUK has required the utilities to perform plant specific, level 1 and level 2 PSAs for their plants. PSA is used in a living fashion by the utilities and STUK. STUK requires that the licensee use the results of PSA in support of decisions on operational safety issues. PSA has got an important role in the regulatory process and in the safety management of Finnish nuclear power plants. During the 70ies when current NPP’s were licensed, reliability studies were made for the most important safety systems. No complete PSAs were made at that time. In 1984, STUK required the utilities to perform plant specific PSAs at level 2 for the existing NPP’s. Guide YVL 2.8 presents quantitative design criteria for core damage frequency and radioactive release frequency and also for the most important safety functions; compliance with this criteria is needed for construction and operating licenses. The criteria are merely design criteria. The utility needs to perform the PSA work or at least the main part of the work to be able to really use the PSA in decision-making. The reason is that they will learn about their plant and they will learn about PSA and then they are able to use the results of PSA in decision-making. A procedure needs to be written for the use of PSA and for applications. STUK requires the utilities to perform qualitative and quantitative uncertainty and sensitivity analysis. This is important in decision-making applications. The utility needs to use PSA in the design and construction phase, in the operation phase, and also in designing severe accident management strategies. At the moment, the use of PSA during the operation phase is actual, but one has to be prepared for the construction of the new nuclear power plant unit. Utilities have presented to STUK seven different alternatives and in that connection they have also presented the preliminary PSA results. 276 The basic reason to perform a PSA is the identification of main risk factors. That analysis is used in the design of plant modifications. In Finland several safety issues have been identified through PSA, the importance of which were not recognized from the deterministic analysis. Now STUK requires that the licensees need to present the assessment of safety significance of the proposed modification, independently from the safety class of the system. The modification needs to be modelled in the PSA. The PSA model needs to be living so that all the changes at the plant are included in the model as soon as possible. During the operation phase, typical application of PSA is the handling of exemptions from the Technical Specifications’ document, i.e. justifications are based on both deterministic and probabilistic criteria. Probabilistic study is required from the utilities. STUK has also analysed the Technical Specifications’ document from the risk point of view. STUK does not perform on line monitoring of the operation of the plant based on monitoring risk level. STUK has had a pilot project to develop a risk informed method for the in-service testing programmes. Some emergency operating procedures have been written based on PSA findings. PSA has also been used when severe accident measures have been designed for the Finnish plants. PSA can also be used for the analysis of events and incidents. At STUK the use of PSA is a standard method to assess the safety significance of the operational events. STUK has performed systematically follow-up studies. STUK has analyzed failures of devices covered by the Technical Specifications’ document, preventive maintenance and operating events. At first screening is performed and then selection which of the events needs to be analyzed in detail. The results of the analyses are followed as indicators. The indicator is the conditional core damaged probability relative to the annual core damaged probability. There are two types of events that are analyzed. Risk follow-up studies are situations where a failure has occurred without initiating event, e.g. there is an equipment failure at the plant unit. Precursor type of events are the events where an initiating event included in the PSA has taken place with or without failures. In these cases the probability of core damage is calculated based on the plant response to that particular initiating event. PSA is also a very useful tool in finding and analyzing common cause failures. Since the PSA criteria are especially meant for the design of the plant, STUK does not look so much at the quantitative criteria in the operational phase. STUK looks at the results of one plant and especially how the plant could be improved based on the results. It is true that the results depend to some extent on who has made the analysis and what kind of assumptions have been made in that analysis. STUK reviews the analyses very carefully to know the differences between the analyses and to know which is more conservative and what has been taken into account. The utility performs the PSA analysis in the first place. The regulatory body reviews the results, the model and all the assumptions they have made. STUK also has the model available so that STUK can make its own calculations. STUK can make sensitivity analysis with its own assumptions and with unmodified model to see what is the impact of changes in the model. 277 STUK can perform its own analysis. There is a group inside the regulatory body, about six persons, capable of performing similar analysis as utilities do. They have a probabilistic code that STUK has developed and a plant model that was received from the utility. The plant model is combined with the probabilistic code and then STUK can perform the analysis; for example, the analysis of plant events is performed by STUK. 7. EMERGENCY ARRANGEMENTS The IAEA has developed guidance for the development of emergency response preparedness for nuclear and radiological accidents [27–29]. The IAEA has also developed a training manual for reactor accident assessment and response [30] and offers specific training courses in the area. In the following emergency arrangements are described generally without going into the very detailed level. A regulatory body has two different roles in emergency preparedness and response. Firstly the regulatory body inspects the emergency arrangements of the nuclear power plant and follows emergency exercises organized by the NPP from the inspection point of view. The regulatory body also approves an emergency plan — in many countries it is one of the licensing documents. Secondly the regulatory body has its role in the case of emergency. The regulatory body assesses the accident and may give advice to the rescue authorities on nuclear and radiation safety depending on the arrangements in the country. Response to a severe nuclear emergency will involve many national and local organizations. In most countries the regulatory authority is only responsible for the emergency preparedness for the practices it regulates. Thus a national level co-ordinating authority must be designated. The national co-ordinating authority will ensure the functions and responsibilities of operators and all response organizations are co-ordinated and adequate. 7.1.WARNING OF THE EMERGENCY MANAGEMENT AUTHORITIES An emergency response classification system should be established for installations that can have events requiring prompt implementation of urgent (e.g. shelter, evacuation) protective actions. This system will initiate the appropriate level of co-ordinated emergency response on and off the site. For each class of emergency, the responsibilities and initial response actions of all response organization should be defined. Declaration of a particular class of emergency will promptly initiate pre-planned actions by the operator and all response organizations. There should be classes of emergency that initiate, as appropriate: an increase in readiness; on-site actions to mitigate the consequences of the event; precautionary protective action on and off the site to reduce the potential for deterministic health effects; urgent protective actions to avert doses; emergency protection of workers; and international notifications. IAEA advocates an emergency classification system with the following three classes (summarized in the table below): a) 278 General Emergency is the highest level and is an accident with a substantial risk of a major release. This includes accidents involving actual or projected damage to the core or off-site doses exceeding the international guidance for taking urgent protective actions. At this level, urgent protective actions are taken immediately by the public near the plant. Nearby countries should also be notified. General Emergencies should be very rare. The Three Mile Island accident in the USA and Chernobyl have been the only accidents to date meeting these criteria. b) Site Area Emergencies involve a major decrease in safety. This class includes accidents where one more failure would result in core damage. At this level, the response organizations and public prepare to take actions. In addition, non-essential on-site personnel should be evacuated or sheltered and all emergency workers provided with emergency radiological protection. Environmental monitoring should be started. In the USA, with 100 reactors, this level of emergency occurs one or two times every few years. c) Alert is an emergency involving a significant decrease in safety. At this level the response organizations increase their level of readiness. The USA has one or two emergencies at this level each year, in many cases involving hurricanes, floods or other natural threats. Class Description Alert Site Area Emergency General Emergency On-Site Action Off-Site Action Decreased safety Partial Activation of Response Increase Readiness Unknown Conditions Assist Control Room Major Decrease in Safety Full On-Site Response One more Failure Results in Core damage Evacuate or shelter non-essential personnel On-Site High Dose On-Site Monitor Substantial Risk of Major Release Same As Site Area + Actual or Projected Core Damage Recommended Protective Action to Off-site Officials Fully Activated Response Same Site Area + Implement Urgent Protective Actions near the site High Dose Off-Site Notify IAEA and near by countries A proposed classification system and associated actions taken upon declaration of an emergency were published by IAEA [28, 29]. Whereas the responsibility for on-site emergency preparedness and emergency response rests with the owner of the nuclear power plant (NPP), the responsibility for the offsite provisions is usually assigned to the local authorities. Being very rare, nuclear emergencies are no full-time job for an authority. Therefore an authority expected to respond to a nuclear emergency needs to be warned early and reliably in order to be in a position to organize itself and implement effective countermeasures. Warning may be justified because of a bad plant condition, a considerable release of radioactive substances or increased radiation doses in the environment. IAEA recommends (as has been implemented in many countries e.g. Germany), that emergency action levels (EAL) be established for classification of emergencies. EALs are, as much as possible, observable (e.g. in core thermocouples >700° C). When the EALs are exceeded the event is immediately classified and the appropriated action implemented to include issuing a warning to the off-site emergency management authorities Such criteria should address abnormal situations involving plant systems, fission 279 product barriers, weather, security, releases and environmental measurements. The EALs need to be unequivocal, derived from quantities accessible to measurement and simple enough to be applicable under the stressful conditions present during an emergency. IAEA has developed guidance on classification systems and EALs [29] Even if the public telephone system breaks down — as expected in a major emergency — the availability of communication lines between the NPP and the emergency management authority or the availability of radio frequencies must be guaranteed. The severity of the warning must be adequate, the completeness of the information to the authority is usually achieved by utilising standard forms and formats. The unit to which the warning is directed needs to be on duty round the clock, needs to know how to interpret the message, needs to be provided with a checklist on actions to be started and needs to know to whom to convey the warning, especially during evenings, nights, weekends and holiday seasons. The international aspects of early and adequate warning are determined by the IAEA Convention on Early Notification, similar agreements within the European Union, bilateral agreements on the governmental and local level etc. 7.2. RESPONSE OF THE EMERGENCY MANAGEMENT AUTHORITY The emergency management authority is expected to be prepared for quite a spectrum of accidents covering the whole range between a relatively small, local contamination and exposure of large populations. Consequently, the duties and responsibilities on the governmental, regional and local level need to be completely and unequivocally assigned. It is very important that all the response organizations agree the allocation of responsibilities. Coping with the consequences of a major release requires fast and efficient co-operation of various authorities being responsible for or surveying: x x x x x x x x x Declaration of an emergency; Public safety and order; On-site and off-site emergency management; Communication and media; Agriculture, trade and commerce; Public health and protection of the environment; Radiation protection and monitoring; Traffic and transport; Forecast of meteorological conditions etc. Co-operation of such a complexity requires that a lead authority be nominated. All authorities involved need to be warned and to be prepared in advance for their tasks and responsibilities. Recruitment of personnel and requisition of equipment must be legally possible. Police, fire brigades and several types of military units are in a position to act very quickly and efficiently. Their co-operation should be foreseen in the respective service regulations. 280 As a consequence of all these needs and requirements a complex set of laws, regulations, service regulations and service rules need to be developed. The role played by the regulatory and supervisory authority in the preparation and implementation of emergency response depends on constitutional, political, practical and sometimes historical issues. However, if the legal and regulatory infrastructure is not complete or conflicting, it is not necessary to enact new laws before the emergency planning process can start. In fact, doing so would most likely delay the implementation of an effective emergency response capability by several years. A preliminary response capability, based on readily available information and legal instruments should be quickly developed for use as input in the development of an interim capability. In addition to formal requirements, several practical experiences should be taken into account. It is desirable that co-operating persons or units belonging to different authorities be located at a similar level in the respective hierarchies. Skills and knowledge required from the personnel in emergency situations should be based to the largest extent possible on their routine tasks. Persons expected to co-operate in an emergency should be encouraged to contact their potential partners regularly in order to be an experienced team on demand. 7.3. ASSESSMENT The practical objectives of emergency response are: x to take mitigatory action at the scene; x to prevent the occurrence of deterministic effects in workers and the public; x to render first aid and to manage the treatment of radiation injuries; x to reduce, to the extent practicable, the occurrence of stochastic effects in the population; x to limit, to the extent practicable, the occurrence of non-radiological effects in individuals and in the population; x to protect, to the extent practicable, the environment and property; and x to prepare, to the extent practicable, for the resumption of normal social and economic activity There are very fast moving events for which immediate action is needed to meet these objectives. These events are identified in advance as part of a threat assessment. For these events the actions (to include protective actions for the public) must be pre-determined and implemented immediately when the need is recognized. That is upon declaration of an emergency. There is no time for meetings to determine the response. Meetings and detailed assessments are to determine the course of action for lesser events and to revise the predetermined actions. Decisions on protective actions need to be based on a set of assessments — preassessment for pre-determined actions and assessment of on-going situation — such as the event classification, the assessment of the plant status, the characteristics of the (potential) 281 release (amount of radionuclides, nuclide vector, start, course and end, energy content, physical and chemical properties), dispersion and deposition of air-borne radionuclides, contamination and dose in the near and far field, health effects, feasibility, benefits and drawbacks of protective actions. It is extremely important to note that most of the assessments must comprise both the diagnosis of the present state and the prognosis of future developments. For severe accident (e.g. general emergencies) the facility and off-site officials should have predetermined arrangements that will result in prompt implementation of the appropriate protective actions without time-consuming activities such as meetings. However, as a rule, once the initial actions have been taken, the emergency management authority can and will not exclusively rely on the assessments made by the NPP, the manufacturer and other members of the NPP’s crisis management team, but will convene its own expert team which my comprise a liaison officer from the NPP, a radiation protection expert, a physician experienced in radiation protection and trained in disaster management, a liaison officer from the supervisory authority, a meteorologist etc. Nevertheless the expert judgement of the NPP personnel is of outstanding importance. For longer lasting releases the need for shift working of the emergency management team and its advisors should be taken into account. The emergency management needs access to all relevant measurements and should be entitled and in a position to initiate complementary measurements. In the first phases of an accident, when measurements are not yet available or incomplete, calculations with the aid of dispersion, deposition and dose models may be important. The emergency management needs access to the result of such calculations including meteorological forecasts of the national meteorological services. 7.4. MONITORING AND MEASUREMENTS Operational intervention levels (OILs) should be predetermined for use following a release. OILs are easily measurable quantities that are a surrogate for the international or national intervention or action levels. OILs are the levels of radionuclides in deposition, food or water samples or dose rates. In addition procedures should be in place to revise the predetermined OILs based on actual event data. IAEA has guidance [28, 29] on OILs and procedures for their revision. IAEA has developed detailed guidance on environmental monitoring during emergencies [36] Many European countries have already installed or are in the process of installing a stationary network of monitoring devices that allow the determination of the local dose rates. Following an event, the network is switched from the normal to the emergency operation mode delivering results with an adequate frequency. In addition, the availability of monitoring teams and of laboratories capable to measure a considerable number of samples in case of an emergency is an important issue of emergency response planning. Availability means preparations for the alert of the teams, provision of sufficient equipment and vehicles, assignment of tasks, knowledge of both location of and access to measuring points, availability of standardized maps etc. 282 Lines of communication between the monitoring teams, the labs measuring the samples and the emergency management must function at any time. The transport of samples to the labs is to be organized. All emergency response personnel need to be trained periodically, the equipment must be checked and maintained. It may be necessary to develop guidance for sampling, preparation of samples and for measurements. Of paramount importance is the development of a measurement strategy. There is a hierarchy in terms of kind and time of measurements. Fast measurement of air-borne radioactivity, local dose rates and foodstuff for cows (iodine) is more important than the contamination measurement of fruits and vegetables which can be harvested later. Identification of key measurements necessary as a basis for decision making is much more useful than the generation of a flood of measured data. 7.5. INTERVENTION For an early release, very fast and efficient countermeasures forming an intervention programme may be necessary. Prerequisites for successful implementation of an intervention programme are established emergency preparedness concepts and emergency management strategies. Main components thereof are: x x x x x x A set of agreed countermeasures; A basis for decisions on them; The provisions necessary for their implementation; Unequivocal assignment of responsibilities; Availability of personnel and equipment; Periodic training, exercises and up-dating of documents. There is a need for conducting an assessment of practices in a country to determine when and where immediate (emergency) action will be needed to meet the response objectives. Protective action strategies must be pre-determined that meet the objectives for the full range of possible emergencies. Criteria and decision-making processes are to be established for promptly implementing of these protective action strategies. In addition the necessary preparations are made for executing these protective actions. Emergency preparedness concepts are very complex and are dealt with in the Basic Safety Standards [33], jointly sponsored by FAO, IAEA, ILO, OECD/NEA, PAHO and WHO and other IAEA documents [27, 28, 29]. IAEA recommends the following basic strategy for implementation of protective actions in the event of a severe emergency (e.g. a General Emergency): 1) Immediately upon declaration of the emergency: x Evacuate or substantial shelter of the population out to about 3–5 km6 (in all direction) and x Distribute stable iodine near the plant to about a 25 km radius7. 6 7 This area is referred to as the Precautionary Action Zone (PAZ). This are is referred to as the Urgent Protective Measure Planning Zone (UPZ). 283 2) Once the release has occurred rapid monitoring is conducted to locate and, if necessary, evacuate any ‘hot-spots based on OILs. 3) Finally restrict the consumption of freshly-produced locally grown foodstuffs, such as milk from a privately owned cow, or garden-grown vegetables until measurements can be obtained to confirm the need for such measures. Kind, benefits and risks of countermeasures as well as the principles of justification and optimisation of an intervention are internationally agreed, although the practical implementation of optimisation is not yet solved in a satisfactory manner. Numerical guidance for justification needs to be developed by each country in accordance with its national conditions [33]but keeping in mind that differences between countries are difficult to explain to the population. Both the method of and the ingredients to optimisation must be chosen. In order to avoid confusion under stress conditions it is advisable to carefully specify the criteria to be used during an emergency in measurable quantities (OILs) and not nonmeasurable dose concepts such as equivalent dose. Obviously provisions must be made for effective implementation of the countermeasures/protective measures. This would include addressing issues related to the availability of iodine tablets, their mode of distribution and their dosage, the availability of public means of transport for evacuation of the public, transients and special populations, criteria for a judgement on the feasibility of protective actions under adverse weather considerations. 7.6. PLANS, RESOURCES, WORK SHEETS, GUIDANCE Fast and efficient emergency response is helped considerably by good plans based on a system of sectors and zones around the nuclear facility, fixed sizes, numbers, positions and labels of these sectors and zones, and an unequivocal assignment of duties and responsibilities. Important issues in such plans are alarm and communication. In order to avoid frequent sources of error, careful checks for consistency of terms (wind direction), maps, sectors, zones and places of measurements should be made. Another frequent cause of errors and delays are obsolete names, positions, duties, responsibilities, telephone and fax numbers, and e-mail addresses in emergency response plans. Periodical review and careful updating are indispensable. Consequently, emergency plans may comprise the following Sections and sections: x x x x x x x x x 284 Contents. Emergency management objectives. Document control. Emergency management organization (including advisors and equipment). Plant alarms and action levels (including which teams are notified). Emergency response teams (including their own action plans and equipment to be used). Maps, scales, sectors, zones and details of local populations. Public protection intervention levels and action plans. Communication. In order to facilitate communication in case of an emergency, it is preferable to keep those parts of the plans confidential which contain names, addresses, telephone and fax numbers, e-mail addresses, etc. Of great help may be guidelines and manuals such as catalogues of countermeasures indicating the different kinds of action, key features, efficiency, basis of decision making, guidelines and checklists for the development of plans, lists of physicians trained in emergency response, of special hospitals and of premises with installations suitable for decontamination of persons etc. IAEA has provided guidance on the plans, procedures, facilities, organizations and other elements of an adequate response program [28,29] 7.7. COMMUNICATION WITH THE MEDIA AND THE PUBLIC Good communication with the public is a prerequisite of successful emergency management. Such communication is not possible without the help of the media. The mass media — i.e. the journalists — do not deal routinely with radiation protection issues, and if they publish news on radiation protection, they do it with criteria different from those required in an emergency. The knowledge of the public about the subject is limited as well. In summary: News about a complex subject must be conveyed in a difficult situation by persons with little knowledge to a population almost without any knowledge. To provide timely information to the media and the public taking account of the complexity of the subject, good relations with reliable journalists should be established and carefully maintained. The way of communicating official statements should be agreed with the media, pre-formulated modules of messages should be developed taking into account that an information to the public should always comprise: x x x x x x A statement about the characteristics of the accident. A best estimate about the further development of the accident. A statement about the reaction of the authorities giving evidence. Competence of the authority. Instructions about countermeasures — if applicable. Assurance of periodic and adequate information. The information must be concise and adapted to the knowledge of the average citizen. Give the population a chance to make its own assessment, e.g. by comparing the exposure due to the accident with the exposure due to natural sources. In the countries of the European Union (EU) the application of the EU standards on the information of the public — routinely and in case of events — is mandatory. The international INES scale is designed for the purpose of informing the public, but as a rule the public knowledge about the INES scale is small. If sirens are used for warning the public, the familiarity with the siren signals should be promoted. For an installation for which urgent protective action may be needed, the off-site populations near the plant should be provided with information on their response during an emergency on a routine basis. 285 7.8. DECISION SUPPORT SYSTEMS IAEA recommends that initially decisions concerning protective action not be based on dose projection models because of the great uncertainties associated with their use. Early in a severe emergency, IAEA recommends that decisions on countermeasures be based on very simple criteria that rely on observable data (EALs and OILs). However, for long-term emergencies involving large atmospheric release resulting in large areas of contamination, a computer-based support system many be very useful. The European Union is promoting the development of a computer-based, real-time, online decision support system called RODOS. The Institute for Neutron Physics and Reactor Engineering of the Karlsruhe Research Centre is playing a leading role in the development of this system, RODOS-based emergency response courses were and will be conducted at FTU. Supposed to be the main beneficiaries of RODOS the emergency management authorities were requested to contribute as much as possible to the development of this system. The RODOS system can provide decision support at four distinct levels: x Level 0: Acquisition and checking of radiological data and their presentation, directly or with minimal analysis, to decision makers, along with geographical and demographic information. x Level 1: Analysis and prediction of the current and future radiological situation (i.e. the distribution over space and time in the absence of countermeasures) based upon information on the source term, monitoring data, meteorological data and models (realtime, on-line). x Level 2: Simulation of potential countermeasures (e.g. sheltering, evacuation, issue of iodine tablets, relocation, decontamination and food-bans), in particular, determination of their feasibility and quantification of their benefits and disadvantages. x Level 3: Evaluation and ranking of alternative countermeasure strategies by balancing their respective benefits and disadvantages (e.g. costs, averted dose, stress reduction, social and political acceptability) taking account of societal preferences as perceived by decision makers. The RODOS system was or will be installed in many countries for research and development and/or operational use. There may be large uncertainties with projections of doses before and during a release. Therefore early in an event protective action decisions are based on simple observable criteria (e.g. indications of core damage), or operational intervention levels. Tools such as RODOS should be used to reassess the initial decisions and for further decisions when more time and information are available. 7.9. PROTECTION OF EMERGENCY WORKERS All personnel performing actions to mitigate the consequences of the emergency should be considered emergency workers. For example this includes drivers of buses used for evacuation or police controlling traffic. 286 The dose received by emergencies must be justified and for this purpose the workers can be subdivided into four groups in accordance with the following categories of works: x Actions for saving life and/or preventing severe consequences. Such exposure is highly justified, but should nevertheless not exceed the threshold for serious deterministic effects. x Short-term recovery operations and/or urgent countermeasures affecting the public. All reasonable efforts should be made to keep doses below an effective dose 100 mSv in a year. x Long-term recovery operations. These operations can be carefully planned, the workers involved can be trained, medical supervision and dosimetry services can be provided. The full system of radiation protection for workers should apply. x Work not connected with the mitigation of the consequences such as routine work in sewage treatment plants, exchange of air filters, farm work causing resuspension of deposited radionuclides etc. It depends on the features of the accident whether special radiation protection measures for these groups of persons are required. No numerical guidance has been developed. In implementing the system of protection for emergence workers issues such as the following must be addressed: means to continuously monitor the doses received, field turn-back criteria, and protection from all anticipated hazards (e.g. toxic gases). Care must be taken that off-site emergency services personnel (e.g. fire fighters, police, medical) who may respond on site are provide with adequate protective arrangements. IAEA has provided guidance protection of emergency workers [28,29] 7.10. TRAINING AND EXERCISES In accordance with 7.1 to 7.9, typical items of training may be: x Tasks and responsibilities of all persons involved in emergency preparedness and response; x Planning basis; x Assessment of plant conditions; x Alarm criteria; x On-site and off-site accident management; x Equipment and provisions of the authorities; x Importance of radionuclides and pathways of exposure; x Kind and features of countermeasures; x Criteria for intervention; x Use of decision support systems, pc-programs and other supporting material; x Information of the media and the public etc. There is a series of tasks to be solved by the emergency management that require periodical exercising. Examples are: x On-site emergency management; x Warning of the emergency management authorities; 287 x Co-operation of authorities, routinely operating in different areas or departments or on different levels; x Advice to authorities given by experts; x Communication; x Transboundary communication and co-operation; x Early notification of boarding States IAEA; x Ad-hoc development of a basis for decisions on countermeasures. It is advisable to develop guidance for these subjects. The NPPs are usually obliged to contribute to all types of exercises. 7.11. CO-OPERATION WITH NEIGHBOURING STATES In addition to the long-range transport of considerable amounts of radionuclides the Chernobyl accident had several unpleasant features causing confusion in the population: x The long-lasting reluctance of the former USSR to inform its neighbours adequately on what had happened; x Differing governmental judgements about the situation and the implications for the population; and x Different intervention levels in the European states. All efforts should be made to avoid such difficulties in the future. A good basis therefore are the IAEA Convention on Early Notification, the corresponding agreements among the EU States and many bilateral agreements on communication, liaison officers, calculation models, intervention levels etc. 8. COMMUNICATION WITH THE PUBLIC 8.1. GENERAL INFORMATION IAEA has developed guidance on communication with the public for the nuclear, radiation and waste safety fields [37]. Regulatory role in public communication depends very much on the national governmental practices. In some countries only necessary information is provided by the regulatory bodies while in some other countries regulatory bodies try to be as open and communicative as possible. Public trust on regulatory bodies is an important issue. Also good safety culture practices include openness in communication. It is also necessary to establish communication channels during normal power plant operation to gain the greatest benefit in emergencies. If information is only provided during incidents or, even worse, if information is not provided even then in a timely manner, rumours and public mistrust of regulatory bodies prevail. 8.1.1. Role of the regulatory authority The regulatory authority has a very important role in the communication of nuclear safety to the population. It is the regulatory authority that establishes, controls, inspects and enforces the nuclear regulations. It is often the first to be contacted when there is an abnormal 288 situation. The regulatory authority, as a body with independent functions to control the use of radiation, is the appropriate organization for providing independent, neutral, balanced and factual information about any issue related to nuclear safety in the country. This position gives the necessary credibility to the regulatory authority. Nonetheless, a communication programme must be in place to create and maintain this image. The roles and responsibilities of regulators and licensees are different and so are their messages. It is fundamental to transmit the message that the regulatory authority is responsible for the national control of the use of radiation sources and not biased in favour of promotion of the nuclear industry. There are many difficulties in conveying messages on nuclear safety to the public. Much of the difficulty relates to the technical language that experts use routinely in their work, and therefore tend to use when communicating with others. There are also more mundane problems with establishing a good communication programme, such as: x x x The other duties of the regulatory authority in developing regulations; inspecting and enforcing are commonly perceived to be more important and urgent. This can result in only reactive communication taking place, i.e. Only when there is an incident; The lack of dedicated personnel with a good level of technical expertise and a talent for communication; and The absence of an adequate budget for a communication programme. The communication challenge for regulatory authorities is therefore to provide independent, factual information to explain how they are ensuring the safety of activities involving radiation and radioactive materials. In order to develop trust and understanding between the regulatory authority and its audiences, communication obviously needs to be open and honest, but the development of such a relationship also depends on regular and consistent communication. Clearly, the regulatory authorities have a particular need to communicate when incidents occur or when issues are raised, but the communication in these ‘crisis’ situations is likely to be much more effective if a relationship has already been established through regular routine communications. Hence proactive communication about safety and regulation when there are no incidents to report can be just as important as communication in response to events. The channels of communication between regulators and licensees should be always clearly identified and the communication should be constant, formal and official. Aside from the routine interactions, two special types of communication that are also indicative of a good relationship between those two parties are: x Notification of unusual events — regulators should be kept informed by the licensees of any unusual event related to safety conditions in an installation, even if this event is unlikely to progress to an emergency situation. Permanent communication in crisis situation avoids any contradiction or inconsistencies in communication to third parties. x Feedback on recent safety developments and inspections completed — regulators should inform the licensees about new guidance on safety matters, give feedback about inspection 289 reports on the installations or on radiological assessment due to an unusual event or accident. The communication of nuclear safety with decision makers, such as high level governmental representatives and parliamentarians, facilitates political decisions such as those related to the approval of adequate budget and organizational infrastructure for nuclear safety, improves relationships and co-ordination of joint activities and strengthens the regulatory authority as a whole. If the regulatory responsibilities for nuclear safety are divided between a number of different organizations, effective arrangements need to be made to ensure that communication activities are coordinated to provide coherent information, or at least to avoid seemingly contradictory information being disseminated by the different organizations. One other perhaps less obvious type of communication responsibility is communicating with regulatory counterparts in other countries. Such exchanges of information and experience may be of assistance in carrying out not only the communications role of a regulatory authority, but also in discharging its other responsibilities. International communication between regulators can range from informal bilateral or regional exchanges to the much more formal process of exchanging information under the terms of intergovernmental treaties such as the Convention on Nuclear Safety or the Convention on Early Notification of a Nuclear Accident. Regulatory authorities are encouraged to consult more broadly and to work with technical universities, NGOs, professional organizations, etc. in order to exchange information, increase awareness of regulatory authority work and get acquainted with new scientific and technical developments, to understand and address the concerns of the scientific community. This publication does not refer to the issue of regulations by the regulatory authority. However it is recognized that nowadays more and more lay persons read and analyse the regulations for several reasons: e.g. as a user, an NGO, or simply as a critical observer. Therefore, the preparation of regulations should take into account this fact to avoid any misinterpretation of the content due to a lack of careful explanation of any technical term or procedure. 8.1.2. Fundamentals of nuclear communications Communications are a specialized field that should be placed in the hands of trained communications experts who work in consultation with experts from the nuclear area. Just as the control of nuclear technologies is a specialized field, so too are communications. Experience has shown that poorly managed communications contribute to lower levels of safety and to an antagonistic environment in which nuclear professionals lose their most important resource: the trust of their constituents, including political authorities and the public. Internal and external communications are equally important. An effective internal communications programme will strive to make the organization a team that clearly understands and respects one another’s different yet equally important roles. This will 290 contribute to a more effective organization that can better serve the public interest. An effective external communications programme will represent the opinions and expertise of the organization to external audiences thereby reducing or preventing misunderstanding and thus increasing safety. The programme will also try to understand and to present the opinions and findings of these external audiences within the safety authority so that these opinions are reflected in the final service offered to society by the regulatory authority. Most people want to have information about nuclear topics. This interest does not mean that people will seek out information on these topics. People are overloaded with information and must be selective about what they spend their time learning about. Most people only pay attention when they hear about an accident. Therefore it is better to assume an audience knows relatively little — positive or negative — about any particular topic. In many cases they may not have thought about the topic before. The lack of basic information may be surprising to professionals who work with the subject on a daily basis. A majority of people does not know what percentage of their electricity comes from nuclear energy or are even able to recognize the radioactive trefoil sign indicating the presence of a radiation field; this has led to several radiological accidents. Lack of information does not mean that people are ignorant. Each target audience needs to feel that their intelligence is respected. Responding to concerns with numbers like “well, your risk of contamination from a transport canister is 10-3, is too scientific and may be interpreted as cold and uncaring. A simple, factual explanation which puts the situation in context is more effective: “if you stand next to this transport canister for 24 hours you will receive the same radiation dose as an 8 hour airplane flight”. People are not impressed with scientific risk assessments that show how safe nuclear energy is compared to other energy sources. They think more about the consequences of an accident or radiation exposure than about the probability of its occurrence. This is especially true for women who tend to be more concerned about the future. Risk assessment should be explained as part of a context, how it is used to improve safety technology and also in debates with technical specialized audience. Just as knowledge of nuclear technologies is needed to reduce the risk of mismanagement of radioactive materials, communication can help to reduce the risk of misunderstanding fed by fear and rumour and consequently increase safety. It is clear that communications cannot correct a technical error. However, technical excellence is no guarantee against unsubstantiated fear and the reprisals that accompany such fear. The first rule of communications is honesty and transparency in place of silence and suppression. Excellence in operations and excellence in communications are mutually reinforcing concepts. To be truly effective, the message must address not only the listener’s wants, it must also address their often unspoken needs. Communication connects the message to basic values. These basic values include security, safety, trust, right to choose and freedom. A long-term relationship with one’s audiences, nurtured over the years, is among the most important investments nuclear professionals can make. It is the foundation upon which to build trust. Without trust and some degree of predictability, one’s relationships can be turbulent or even disastrous. A communications specialist should be placed within the executive committee of the regulatory authority to assure their expertise is well integrated into the decision making process of the organization. Experience has shown that not placing communications at the same level of importance as operations, finance, or legal functions can have disastrous effects in times of critical importance. 291 A high level communications expert should be trained with the knowledge of how to use a variety of specialized media, including various forms of writing, speaking to the public, media relations, publishing, community relations, and social science research and programme evaluation to achieve the regulatory authority’s goals. Each field requires specialized knowledge as well as a large investment in training. Each regulatory authority will have different requirements, depending on the types of technologies they regulate and on the cultural characteristics of the country. The basic objective of nuclear communication from the point of view of the regulatory authority is to keep the public informed about the facts on nuclear safety, and especially, its own role in controlling the use of radiation in the country. To develop a comprehensive communication programme on specific issues, five elements are needed: x x x x x Clearly stated programme objectives; Identification of the audience according to the objectives of the communication programme; Opinion research of audience(s), to identify the need and the messages to be communicated and the channels of communication; A management plan with clearly stated goals for each audience that will help to achieve the objectives, and which considers a number of options; and An evaluation plan to incorporate lessons learned in future planning. 8.2. COUNTRY SPECIFIC APPROACHES AND EXPERIENCE In the following one country example is provided to illustrate the regulatory role in public communication. The example is based on reference [38]. 8.2.1. Establishing a public information policy in Finland A policy of total openness in information about operating experience of nuclear power plants and other nuclear safety issues was adopted by STUK at the initial start-up of the first commercial reactor in Finland in January 1977. Quarterly reports describing the operating events have been published regularly starting from the first quarter of 1977, and event specific press releases have been issued promptly as needed. The reporting policy and approach was presented to the news media in a press conference in December 1977. That first press conference by STUK was attended by a good number of prominent press people, and our main message was well received. The message was that all events of interest will be reported and the reports are available to anyone who asks for them. Since then reporting has become a part of the normal routine. The attention that was focused on STUK and its employees after the Chernobyl accident has also resulted in a wide acknowledgement of STUK and its role as a regulatory organization. Today, both the news media and the general public are actively contacting STUK whenever they want to get information on nuclear safety matters, or to check background for nuclear power related information received through international news agencies. 292 In recent years STUK has significantly extended its activities on nuclear safety related communications. There are now four full time communication experts working in the area who can be reached at any times, days and nights. The work can be divided into three different types of activity: x Writing, publishing and distributing educational material and background information for example by means of STUK’s own website leaflets, PC diskettes, teletext, “ALARA” magazine, and organizing meetings with journalists and other interested groups. x Providing timely information on nuclear safety related events in Finland and abroad. The timing of publishing the domestic information (promptly or in periodical reports) is defined in STUK’s internal guidelines, and depends on the estimated interest and public concern; and x Responding to the information needs which are indicated in the form of questions from political decision makers, other government authorities, journalists, or members of the general public. An important point to be noted by STUK staff in all communications is that one should not give an impression of promoting the use of nuclear energy. This is a delicate topic and misunderstandings can be possible while the authority tries to alleviate unnecessary concerns in people’s minds. The duty of STUK is to present the facts as clearly as possible, and give the reader or listener the opportunity to draw his/her own conclusions. The systematic use of the INES scale has also been most helpful. 8.2.2. Criteria for reporting operating events The main rule is that STUK reports to the public all events that are safety related (including events categorised as INES level 0) or which may for some other reason be of general interest. A question to be asked in each case is: how and when to report? There are three possibilities: x Events of great public concern that require immediate information using methods developed for emergencies. In such cases it is not enough to consider the information issue alone, and the whole situation would be handled using STUK’s emergency plan and arrangements; x Events not requiring emergency measures but prompt reporting on the same day. Support for decisions on reporting in such cases is given in an internal STUK guideline. If prompt reporting is needed, a further question is whether to issue a separate press release and send it by fax to news media and authorities included in our mailing list, or just to make the information available through various telecommunication tools; and x Events that will be described in quarterly reports only. The internal STUK guidelines say that prompt reporting should be done whenever an event is likely to be classified INES scale 1 or higher. 293 Besides the safety related events, STUK has also found it necessary to report certain other events that typically raise concerns in people’s minds. The reason is that in one way or another such events may penetrate to the news or cause false rumours, and then it is difficult to explain what really happened and why it was not reported. Examples of such events are: x Leaks of radioactive water within the plant or into the environment, irrespective of the level of radioactivity, and in some cases even a leak of clean water if the leakage is large; x Abnormal events in handling nuclear materials or nuclear waste; x Fire anywhere on the plant site which results in alerting the fire brigade; x Worker related accidents where a person is admitted to hospital as an emergency case, or receives a radiation dose or internal contamination that requires special investigation; and x Unplanned reactor shutdown or load reduction, for instance as a consequence of a technical failure or abnormal natural phenomena. 8.2.3. STUK’s quarterly reports on the operation of nuclear power plants Quarterly reports on the operation of Finnish nuclear power plants describe events and observations related to nuclear and radiation safety that STUK considers of safety significance. Before issuing a report comments are invited from utilities. The reports are written for the layman. Thus, for example, the meanings of all technical words are explained and no acronyms for systems and devices are used. A quarterly report contains a description of nuclear power plant operations (i.e. diagrams of daily gross power, production data, causes of power reductions, shutdowns and outages). Events which are reported are described from the viewpoint of nuclear safety and INES levels are indicated. An event description includes the following subjects: safety oriented title, short description of what happened and what was safety significant (introduction), description of the system which failed, a detailed description of the event, root cause (if known when producing the report) and improvements made to prevent recurrence. In the report’s Section on radiation safety, occupational exposure at Finnish nuclear power plants radioactive releases and the results of the environmental monitoring are presented. The report also contains descriptions of plant safety improvements. The annual number of events at the four Finnish nuclear power plant units reported in STUK’s Quarterly Reports in 1990–1998 varied from 11 to 24. Examples of event types are as follows: partial unavailability of safety systems, reliability of a safety system compromised, small fuel cladding leaks, minor radioactive contamination, minor doses to workers (well below the dose limits) and procedures violated. Most events have been classified as level 0 on the INES. The highest INES level of incidents reported in this period was 2. The quarterly reports are distributed to the Finnish press and media, authorities, utilities, research institutes, and municipalities near nuclear power plants. Altogether in the mailing list there are about 180 addresses in Finland. The reports are translated into English. 294 These translated reports are distributed mainly to foreign nuclear regulatory bodies, and altogether about 80 reports are sent all over the world. Response of the news media and credibility of STUK The news media has treated the information provided by STUK in a constructive and professional manner. The information provided by STUK serves its purpose only if it is considered credible by the people who receive it. It is STUK’s own assessment that it is taken as a quite credible source of information. Such an assessment can be based on the way it is treated in the news media and on private discussions with outsiders. Also, the recent survey studies indicate that people consider STUK the most credible source of information in the field of nuclear safety. 8.2.4. Technical tools to offer prompt information STUK’s technical communication tools provide information promptly and conveniently. STUK’s teletext pages on the state owned TV network and the new section on www.pages are normally updated approximately once a week. During an incident they are updated as often as needed. Information normally concentrates on subjects of common interest, such as the use of radiation and nuclear power in general. In case of an abnormal situation the tools can be used to transmit information such as protective action recommendations to the public. Each Friday the information services publish a telefax bulletin called “Weekly Information”. It includes all the radiation news reports released during the week. The bulletin is faxed to the relevant authorities. The STUK's radiation fax service is also updated on Fridays. People can order the weekly information bulletin to their own fax machines from this service. The fax service may also include recent press releases and background information on radiation and nuclear safety. 8.2.5. Communication is intensified during an incident STUK's policy is to start informing people about an incident immediately, even if not all the facts are yet available, and also when there is no need for protective actions. If we did not begin communication at our own initiative, we could be accused of trying to hide valuable information. If the trust of the public and the media is lost, it might be extremely difficult or even impossible to win back. Informing the media aims at keeping the public aware of the situation and its consequences, explaining the actions of the authorities and preventing rumours from developing. If communication with the media is handled properly, it is an effective tool in managing the situation. In a radiation incident situation STUK's role as an expert organization intensifies. STUK collects information and forms a judgement based on this information and on the STUK's own monitoring results. Thereafter the STUK may recommend protective actions. Naturally, prompt communication with the media is necessary, as well as smooth coordination between different authorities and the STUK's internal departments. The goal of our on-call system is to start operations within 15 minutes of the first notification, at any time of day or night. 295 The STUK uses fax report forms for urgent notification of the situation. Two of these forms may also be faxed to the mass media. Their purpose is to give immediate and basic information on the incident for public information purposes. The addressees receive the report forms by a system called “multifax”. The forms are faxed to a telephone company that then distributes them to different recipients almost simultaneously. The recipients are combined into different groups. Each group has its own telefax number programmed in the STUK fax machine. STUK sends a message to this telefax number and the telephone company then distributes the message to all the recipients in the same group, e.g. to about one hundred press offices and radio and television stations. After the forms have been sent, press releases can be written and faxed by the multifax system to the media, the authorities and always to the STUK's own departments. Depending on the situation, press releases may also be faxed to the nuclear power utilities, local laboratories and regional emergency centres. Press releases can also be reached on www.pages and modified versions will be transmitted to the teletext. Because a radiation incident almost certainly gives rise to an enormous need for guidance, telephone lines can easily get blocked. If the situation calls for extensive guidance, a group of experts can be formed to provide instructions to the public by phone. STUK is prepared to give 10–15-minute situation descriptions for staff members and journalists during an incident. These press conferences will be held at the auditorium every hour and as soon as there is a change in the situation. Since it would be inconvenient for the journalists to constantly travel between their offices and the STUK, STUK can provide a temporary press centre for them at STUK library, which is situated close to the auditorium. The press centre offers additional telephones, fax and copying services, and background information. An emergency may require centralising the authorities' public information activities. In such a situation a national information centre can be set up at the information unit of the government (state council). This centre will co-ordinate public information with the authorities concerned, but the authorities are required to continue public information in their own sector as well. The national information centre can also invite information officers from other state authorities to give practical help in order to cope with an eventual massive demand for information. A communication programme must be tested in practice. So it is regularly evaluated in emergency exercises held at the STUK. This has been intensified by inviting journalists to participate in or observe the exercises, or by having staff members simulate the mass media and the public. Communication continues after the incident After the incident is over, the need for communication continues. Explaining the reasons and the results, giving guidance, and estimating the future development, as well as reporting improvement of activities, may last for years. The incident may cause long-term concern among the public, which can be diminished by continuous communication, e.g. the information about the consequences of the Chernobyl accident was still being provided 10 years after the accident. 296 8.2.6. The INES classification is a useful tool in informing the public The International Nuclear Event Scale (INES) [39] as been in use in Finland since the very beginning, i.e. since 1990. The scale has been a useful tool in the STUK's information policy, for putting incidents into perspective for media use. STUK has required the utilities to submit a proposal for an INES level. STUK then decides the INES level of an event. The proposal of the utility should be available in STUK so that the INES level can be used when informing the public about the event. STUK reports to the IAEA on INES ratings as required. Events classified as level 2 or above, and also events having public interest internationally, will be reported to the IAEA. The INES levels of events in other countries that are reported to STUK through the INES network are also used when STUK informs the Finnish media about these incidents if the INES levels are available at an early stage. STUK has produced a leaflet in Finnish, based on the IAEA’s leaflet describing the INES levels. Figure 19 presents the International Nuclear Event Scale (INES) for prompt communication of safety significance of incidents and accidents. Appendix VI presents more detailed description of the INES including examples. FIG. 19. International Nuclear Event Scale (INES) for prompt communication of safety significance of incidents and accidents [38]. 297 8.2.7. Observations about crisis communication The following issues should be taken into account when crisis communication is planned: x An active and timely communication policy can prevent false rumours; x There has to be a constant flow of information — people have different ways to receive the messages; x The information should be timely; x The source of information should be reliable; x When possible feedback should be used such as experts answering telephone calls on radio or television; x Deliberately false information will be found out and will harm future communications; x Human beings are both rational and emotional beings — the psychological aspects of a crisis should be analyzed and considered; and x A crisis may create lasting psychological traumas — sometimes post-traumatic communication care is needed. How to communicate with the public The following key issues should be remembered: x The information must be easily available; x The information must be understandable. Use everyday words and avoid professional language. Short sentences with active verbs are better understood; and x The information must be memorable, especially if it contains advice and recommendations. A message of an incident or accident should include time and place, involved persons, cause and consequences. The message is best remembered if you can repeat essential facts. Complaints about public information The following complaints have been collected concerning provision of information during accident situations: x Too late, too little; x Hiding of important information; x Too many sources of information, no co-ordination; x Nobody in charge of communication; x Too much difficult language; x Too many rumours; x Wrong attitudes about communication; x “They know more but they do not want to alarm people”; x Very difficult to find anybody to give information — when finally found the one could not explain difficult material well; and x They did not understand its psychological importance for a common person. They kept talking about technical details. 298 APPENDICES Appendices I to III provide three examples of safety development when operating procedures and emergency operating procedures of a nuclear power plant are concerned, i.e. x Evolution of operating manual in Germany. x Complementary procedures aimed at coping with the complete failure of redundant systems in France. x Preparation for the management of severe accidents in France. Appendices IV and V provide examples of nuclear safety standards, i.e. a list of the IAEA Nuclear Safety Standards and as a national example a list of Finnish Regulatory YVL guides. Appendix VI presents the IAEA INES scale that is an important tool in public communication (classification of events). Appendix VII presents a typical training course related documentation for organizing the training course on regulatory control of nuclear power plants. 299 Appendix I EXAMPLES OF EVOLUTION OF AN OPERATION MANUAL — OPERATING PROCEDURES Operating procedures for normal operation For normal plant operation of a nuclear power plant — such as plant start-up or shutdown — there are written instructions laid down in the “operation handbook”. These instructions enable the operators to bring into (or take out of) service single systems or other components — each manual operation is described in detail step by step. Therefore the written instructions often are designed like check lists. In some cases theses instructions have a logical structure which can be read like the source code of a computer programme (IF ... THEN ... ELSE). This logical structure sometimes exists separately as a complementary short version of the detailed check list and is used by the shift supervisor while the operators switch at the console in the control room or operate in plant areas by means of the detailed version. In other cases there is only one version that has an integrated logical structure. Besides instructions for plant operation the operation handbook that consists of numerous folders (up to 100 — and even more) contains system drawings, valve lists, tank protection sheets and other technical paperwork for each single system. The content of all system folders are identical. For example, authority regulations for safe NPP operation, repair time catalogues and organizational regulations are part of the operation handbook. The layout of the operating manuals varies between different plants even between those of the same manufacturer. Nevertheless there exist common fundamental requirements covering the content and the design of the operation handbook in most countries (e.g. safety regulation KTA 1201 in Germany). Operating procedures for abnormal conditions One of the major design principles of a nuclear power plant is to protect the integrity of the reactor core and to prevent significant radioactive release to the environment during accidents without requiring urgent reactor operator actions. Therefore nuclear power plants are equipped with automatic protection systems which monitor the plant status continuously and automatically actuate safety systems if important plant parameters reach pre-determined safety limits (reactor protection system). The main task of the reactor protection system is to bring the plant to a stable safe condition in a limited period of time During this time the operating personnel have to diagnose the plant status to find out what kind of accident happened and then — following the “event-oriented” procedure — shut down the plant to cold, subcritical status. The traditional approach throughout the nuclear industry is to have operating procedures for certain postulated events that have been analyzed and discussed in the safety analysis reports. The procedures formerly were only limited to single initiating events followed by successful operation of safety systems designed to respond to those events. 301 In the last decade the strategy of accident control has been extended to include consideration of: x Design accidents with additional problems (e.g. steam generator tube rupture with additional disturbances, event tree); x Combinations of different design accidents (e.g. steam generator tube rupture and main steam line break at the same steam generator inside containment). Meanwhile the available operating procedures cover such additional problems and the plants´ safety systems have been back fitted during the last decades to enable them to cope with such accidents. Although the “event-oriented” operating procedures today are well prepared and tested on full-scope simulators there remains the risk that an event does not progress as predicted. Event-oriented procedures have a limited scope and they cannot address a variety of multiple failures or events that have never been foreseen. So some events (of a very low probability) may not have an applicable procedure, in other cases more than one event procedure must be used at the same time, which could cause severe contradictions when using different procedures. For these so-called “unexpected events” other strategies and related paperwork have been developed i.e. the “safety function oriented procedures” (“symptom-based procedures”) The idea of this strategy is the independent monitoring of the fundamental safety functions immediately at the start of an event e.g. after reactor trip (simultaneous to the “event-oriented” diagnosis): x x x x x Sub criticality; Prevention of radioactivity release; Core covering; Heat transfer; Storage of cooling water and energy supply. If it is found (whether automatically or by means of human supervision of certain plant parameters) that one of the safety functions is impaired or that there is no applicable “eventoriented” operating procedure, the “safety function oriented management” of the plant becomes necessary. In such situations the shift supervisor has to alert the members of the Accident Management Team to be prepared for emergency actions. In the so-called “Safety Function Handbook” (which in some cases is still in the licensing process) the operating shift team can use written instructions to re-establish a safe condition of safety functions that do not contradict any instructions laid down in “event-oriented” manuals may be applied simultaneously. For certain events with very low probability there is an “emergency handbook” (which in some cases is still in the licensing process) covering instructions such as primary and 302 secondary side feed and bleed or containment venting. The use of these instructions needs permission from the Accident Management Team (station management). Logic and organization of procedures To be fully comprehensive and effective for use by operations personnel, operating procedures for abnormal conditions must meet the following objectives: x Continuous maintenance or prompt restoration of all critical safety functions; x Early plant stabilisation from transient conditions; x Optimum long-term recovery of the plant after the event has been sufficiently diagnosed. It is important that the procedures provide symptomatic and adequate guidance from the beginning of an event or transient so that operating personnel can provide appropriate responses without having to rely on memorised event response when facing a complicated event. Good procedures should assist operating personnel giving priority to the most important matters and information and thus avoid confusion caused by numerous alarms and misdirection to less important matters and information. The relation between action levels and procedures must be clearly and uniquely defined. It is important that the relative priority of action levels and procedures be clear in case of more than one action level occurs simultaneously. After an abnormal condition, the first tasks are to verify the correct response of key plant systems and to take corrective action on any malfunctions. These immediate responses can be common for a variety of events. Thus, the procedure to be entered first should be written so that it is applicable without detailed information on the initiating event. Procedures should be established to assist operating personnel in the event of certain unique failures or failure combinations which are of general concern and which require procedures with a strictly limited scope. Examples of these are Anticipated Transport Without Scram (ATWS), total loss of electric power supply and failure combinations of relatively higher probability which may affect entirely safety systems if not managed correctly. Procedures for monitoring, maintaining and restoring critical safety functions should direct operating personnel towards taking appropriate actions without having to wait for diagnosis of the specific event. Such action should not need to be an optimum response but should protect or tend to restore critical safety functions without delay. These procedures are intended to be applicable to plant conditions regardless of the event sequence that leads to that condition. The “safety function handbook” should correspond to the alarm actions to alert the accident management team early. Additionally, clear and unambiguous criteria for entering emergency procedures must be established in these procedures. Procedure format Care must be taken to assure that procedures for abnormal conditions are presented in a style that is clear and useful to operating personnel during such conditions. A consistent design should be used throughout the procedures. They should be easily identified from other 303 plant procedures (colour, registration number, storage). The procedure title should be short and descriptive so that operators will quickly know the abnormal condition to which it applies. Full quality and document management procedures should apply to such documents, including appropriate referencing of pages and periodic review of material presented. Explanatory information is to be avoided, except when a brief indication of scope or purpose is necessary (e.g. headlines above certain operation steps, like “activate boron supply system”). The procedures shall be limited to “action/verification” steps along with “warning/caution” and short “notes”. Procedural guidance shall be presented in short, concise steps in command form useful in stressful situations. Each step should cover just one action or a group of actions that form an entity and can clearly be referred to with a common command. For each action, consideration should be given to providing a contingency in case the desired result is not achieved. Contingency measures should be presented in a way that will avoid operating personnel looking at them if the plant responds as expected. “Warning/cautions” and “notes” should not include any actions. These should be presented in a format that clearly differs from the action steps. They should directly precede the action step to which they apply so operators are made aware before taking the related action. Words and definitions used in the procedures should facilitate prompt recognition and understanding during abnormal conditions and that should be used by the operating personnel during such situations. There should be consistency with usage in training for abnormal conditions, control room labelling and other plant procedures. A consistent format for use of conditional statements should be followed throughout the procedures. Make instructions as simple as possible — use the logic words “IF ... AND...OR...THEN...NOT...IF NOT” ....and so on. To ensure that operating personnel are familiar with the format of the procedures for abnormal conditions, the procedures for normal operation should, ideally, have the same structure and follow the same principles. It is less important how the procedures are designed — the main objective is, that they can be read easily and are accepted (and improved) by the operating personnel. The authors of the procedures should observe operating personnel during training at the full-scope simulator when using their manuals! Authors of procedures Authors of any kind of operating procedures should have practical experience of the jobs done by the individuals to whom they apply. Authors of procedures for abnormal conditions should possess a shift supervisor licence and several years of practical experience in this position. Additionally they should currently be involved in plant specific safety analyses, procedure updating, plant operation and training of the licensed shift personnel. Experiences as part-time full-scope simulator instructors are helpful. These experts should be involved in the competence verification of the licensed shift personnel. 304 Training in the use of procedures The best way to teach operating procedures is using a plant-specific full-scope simulator, because this gives the most realistic conditions. If such a training tool is not available, a technical information package should be prepared to supplement the procedures. It should, document the technical basis for the procedures, on one hand, and, on the other hand, convey the author’s intent to those applying the procedure. Such a technical package would serve as a training aid during classroom training of the operators and it would minimise the need for explanatory notes in the actual procedures. The comprehensive technical description should contain all relevant technical background information. This information is especially important when considering possible future modifications. The descriptions could cover: x x x x x x x x x x x x x The reason for the chosen method; Why certain methods were avoided; A step by step discussion of the procedure to make it clear why each step is taken; Design concepts and regulations applied; Any unexpected or extreme physical, thermodynamic and hydraulic phenomena; Other actions, which for certain reasons are not discussed in the procedure — but which could however be performed; An explanation of which possible methods are preferred for specific conditions; References to related analyses and computations; Further long-term measures; Results from full-simulator training sequences; If available — analyses and reports of events in other nuclear power plants; Pictures taken of the control room or plant areas which will enhance understanding; A set of questions for repetition and tests. Current computer technology offers new training methods. At RWE Energie AG, Biblis NPP Training Centre a “Web-Based” training tool is under development (1997). With this operating procedures will be available in the Biblis NPP´s own Intranet as web-pages together with self-explanatory links (descriptions, photographs, videos, animated graphics, voice recording). General recommendations Operating manuals should always reflect the highest standard of practical plant operation — which means that regular updates are necessary. The manuals must be designed ergonomically for practical use in the control room and in plant areas. Technical parts of the Operation Handbook (drawings, valve lists, limits) should be kept up-to-date by Technical Support Groups. Direct operating instructions (check-lists, step-by-step procedures) should be prepared and updated by experienced operations engineers with experience of working in the control room (e.g. shift supervisors). Drafts of modified procedures should be tested at the full-scope simulator before being approved for unrestricted use. Operating manuals should always be used during training to make the operating shift personnel familiar with this working tool. Training objectives being used for competence verification of the operation shift personnel should be deduced from the operating manuals. 305 Operating manuals should not be considered as “just another document needed for licensing a nuclear power plant” but as “the most important working tool of the operations personnel”. The operating shift personnel should be trained and called on to optimise the manuals currently by their own practical experience. During the lifetime of a nuclear plant all essential operating experiences needs to be captured and retained in the Operation Handbook. This becomes important especially when a generation of shift personnel moves on after some years. 306 Appendix II COMPLEMENTARY OPERATING CONDITIONS Origins Since 1973, American safety organizations had been discussing the possibility and possible consequences of a failure of the emergency shutdown system associated with a transient (anticipated transient without scram, or ATWS). Emergency shutdown is, in any case, a redundant system, therefore answering to the single-failure criterion. The French safety authorities extended the implications as of 1975, requiring EDF to study the probability and consequences of a complete failure of safety-related systems, in constant or frequent use. The systems involved are those ensuring power supplies, those ensuring heat sink availability and its associated equipment, and those ensuring core cooling via steam generators. In general, these functions are ensured by several redundant systems. A good electrical supply system would be one that had two relatively independent supplies from the grid network, a means of supplying their own systems by operating at reduced load isolated from the grid network, plus two or more diesel supply systems. The safety duty would then be capable of being met by any one of these supplies. During reactor operation, core cooling is ensured by the steam generator normal feedwater system. This system is redundant. Should it fail or the turbine become inoperable, the reactor is shut down, and the steam generators are supplied by means of the auxiliary feedwater system (AFW), which itself has built-in redundancy. The single failure criterion is thus fully catered for. Preliminary investigations on the subject were called “beyond design basis” studies, an expression reserved for studies of very serious accidents whose probability is low. They in fact related above all to operating conditions “that went beyond the scope of conventional design”. To appreciate the advantage and importance of these new studies, a basic reference was needed. The safety organizations then suggested that the probabilistic references used for external hazards be used. The position of the safety authorities In 1977 and 1978, the SCSIN defined, in two letters to Electricité de France, an overall probabilistic goal and practical applications in terms of studies to be undertaken. The main points of these two letters were as follows: x Design of units including a pressurised water reactor should be such that the overall probability of the unit causing unacceptable consequences does not exceed 10-6 per year; x The probabilistic approach should be used for as many events as possible; x The use of a probabilistic approach does not imply demonstration of observance of the overall goal nor direct use of these methods in unit design. However, it can improve the definition of the deterministic criteria used; x Given the overall goal of 10-6, a value of 10-7 is used as the annual probability of occurrence of unacceptable consequences for each event family for which a probabilistic approach can be used; 307 x On the other hand, event families whose estimated frequency is clearly lower than 10-7 per year per unit shall not be taken into account; x “Realistic” design assumptions and methods may be used to study event families whose consideration in unit design is a result of this complementary approach; x Simultaneous failure of redundant trains of safety-related systems should be studied in this framework. These principles call for some comments: x The overall goal is set in terms of “unacceptable consequences”, which are not defined by law or regulation. These consequences must therefore be determined politically and be subject to modification. Practically speaking, each time a probabilistic approach is used for an event family, a prudent well-defined goal is set in terms of avoiding unacceptable consequences; x For aircraft crashes, loss of integrity of buildings housing safety-related equipment shall automatically be assumed to lead to “unacceptable consequences”; x For the total failure of redundant systems, the “unacceptable consequence” which shall be considered is the beginning of core uncovering, with no possibility of rewatering; x The probability of 10-6 per year of unacceptable consequences is an “objective” maximum value. The applicant is not required to prove that this goal is reached; x The value of 10-7 per year is not an obligatory threshold value for an event family since there can be compensation with other families with lower probability; x Additional measures that may prove necessary might include procedures using systems already existing in conventional deterministic design or additional systems. One may be inclined to compare the consequences of the event families analyzed by this method with fourth category operating conditions, just as one is inclined to compare the 10-7 value with the frequency interval lower limit estimated for these conditions (10-6). However, this is an area requiring circumspection, for the operating condition table concerns initiating events, compounded by penalising conditions such as the single failure criterion and loss of off-site power. The probability of this load combination occurring is a priori far lower than that attached to the initiating event alone. In this new approach, the probability is estimated by combining the probabilities associated with each failure involved in the scenario considered. Complementary operating conditions The process is applied in the following manner: x The probability of the family of events considered is assessed; x If the estimated probability is equal to or greater than 10-7 per year, the consequences are assessed in the context of prevailing plant conditions; 308 x If the probability — consequences pair for a family of events is in the unacceptable area, measures to improve the situation must be defined. This can be done by reducing the probability or the consequences, or both. Increased redundancy in safety-related systems comes immediately to mind, but the gain in failure probability diminishes rapidly when the number of trains increases, due to failures liable to affect all trains simultaneously and for the same reasons (common mode failures). However, better use of existing equipment can lead to improvements. We shall now discuss some examples of how these problems have been dealt with. Anticipated transient without scram (ATWS) American safety organizations raised in 1973 the problem of the failure of the emergency shutdown system (scram), which involves the drop of all the reactor shutdown rod cluster control (RCC) assemblies, during the frequent transients which trigger a scram. The RCC assemblies drop by gravity when their holding mechanisms are de-energised. These devices are de-energised by two series-mounted trip circuit breakers, supplied by two independent channels. It would nonetheless appear that there is a probability of between 10-5 and 10-4 of failure of emergency shutdown for each request. Common mode failures have been observed in the USA on emergency shutdown relays and breakers. Since this is a relatively high probability, the results of a failure of emergency shutdown have been examined for all cases studied of second-category incidents calling for emergency shutdown. The most serious problems are the level of over-pressure in the primary cooling system and continued supply of sufficient cooling to fuel rods. These studies show that if failure of emergency shutdown is the only disturbance caused by the transient, no safety limits are endangered. On the other hand, detailed study of the structure of the logic of the protection system controlling emergency shutdown revealed (in 1978) that, for certain faults in the logic, there is also failure of the trip command for the turbine or the start-up command for steam generator auxiliary feedwater system, because these commands are generated by the same systems as emergency shutdown. In the first scenario, stress levels on the primary cooling system would be close to the maximum acceptable limits. In the second, these stresses may eventually exceed permissible limits, when the first transient is the loss of normal water supply to steam generators. It was therefore decided to diversify the control logic of emergency shutdown and of steam generator auxiliary feedwater start-up and turbine trip, and even to diversify the sensors generating these signals as of 1300 MW(e) plants, which had not been built at the time. Damaging cumulative faults can now only come from accidental coincidences whose overall probability is sufficiently low. The ATWS problem is therefore considered to have been solved by such plant modifications. It should be noted, however, that in all cases of automatic actuation of protection or safety systems, operations teams are asked to confirm these commands manually, hence using systems and equipment entirely independent of those used for the initial commands. 309 Total loss of steam generator feedwater supply During reactor operation, water supply to steam generators is ensured by the feedwater flow control system, which recycles condensed steam after passage through the turbine. This system, which is indispensable for electricity production, is not directly safety-related. It is not unusual for this system to shut down completely. This is a second-category transient. Furthermore, the original design of 900 and 1300 MW(e) plants provides for each emergency shutdown of the reactor to stop this system and activate steam generator auxiliary feedwater supply provided by a safety-related system. The steam generator auxiliary feedwater system is driven by two motor-driven pumps and one turbine-driven pump in the 900 MW(e) units and two turbine-driven pumps in the 1300 and 1400 MW(e) units. The probability of total failure of both systems is of several 10-5 per year, which justifies study of the consequences. Normal steam generator water supply regulation was modified to reduce the predicted frequency of use of the auxiliary feedwater system, but the overall gain was still not sufficient. As is generally the case in the present paper, the scenario below corresponds to an accumulation of pessimistic assumptions. The most unfavourable initial condition is also the most frequent: the reactor is operating at nominal full power, and the loss of normal water supply to the steam generators causes emergency shutdown of the reactor and gives the auxiliary feedwater system start-up command after 16 seconds. It is postulated that the auxiliary system fails to start. As long as the steam generators contain secondary water, they remove almost all the residual power of the core. But this level drops and the generators dry out after fifteen minutes. As soon as there is no more secondary water in the steam generators, water in the primary cooling system heats up rapidly and expands. As the primary cooling system pressure rises, the pressurizer fills up. The pressurizer relief valves open, but the pressure rise in the primary cooling circuit does not stop right away. This pressure stabilises around 165 bar with the relief valves open. Water from the primary cooling system gradually drains into the containment and core meltdown is inevitable, because no signal started up the emergency core cooling system, which is normally tripped by low pressure in the primary cooling system. In order to prevent core meltdown, its residual heat must be removed; for this, the pressurizer relief valves must open without fail, but the water which has leaked from the primary cooling system must be replaced by manual starting of the safety injection system. Finally, for safety injection to be effective, it must be started before pressure in the primary cooling system exceed the discharge pressure of the emergency core cooling system. In this case, the core is cooled by water from a once-through system, coming from the emergency core cooling system and pouring into the containment (known as “feed and bleed” cooling of the primary system). This involves a sort of chase between the increase in primary pressure and the opening of the greatest possible number of relief vents, along with safety injection. Operators must therefore act very quickly. If they intervene within fifteen minutes, the core is saved and there is no clad failure. If they intervene within forty-five minutes, the core is generally preserved but there are an increasing number of clad failures. If they 310 intervene after forty-five minutes, their action will have no effect and core meltdown is inevitable. There are ways to identify this accident. They include in particular various secondary cooling water level indicators in the steam generators. These devices have been improved. But deliberately creating a primary break, thereby contaminating the reactor building, is not an easy decision for an operating team to take. This is confirmed by observation of the behaviour of operators faced with this type of situation during simulator training. The detailed study of this accident led to an operating procedure enabling core meltdown to be avoided. Some technical measures have been taken to reduce the probability of this accident and to help operator diagnosis. Power transmission Line Auxiliary Line 400 kV or 225 kV 225 kV or 63 kV Turbogenerator set Line Transformer 900 MWe 24 kV Unit Transformer TS Auxiliary Transformer 6,6 kV LGA TA LGD 6,6 kV LGC LGB A B LHA Diesel generator sets LHB Train A Train B Emergency-supplied Switchboard FIG. 20. 900 MW(e) plant power supplies. Total loss of power There are many ways to supply the power needed for safety functions in French nuclear power plants (Fig. 20). x Two relatively independent external supplies from the national grid; x House load operation, wherein the unit is separated from external power supplies and only operates to supply its auxiliaries; x Two internal supplies, each comprising a diesel-powered generator set. 311 Any one of these sources can supply all power needed for safety purposes. This power is distributed to equipment which needs it by means of two electrical switchboards, each with its own line. Each diesel generator is allocated to one of the switchboards. Total failure of power supply to safety-related equipment may be caused by simultaneous failure of either all power supplies or both electrical switchboards. The total probability of this is of a few 10-5 per year, due in almost equal proportions to failure of supplies or of switchboards. It is therefore necessary to study the consequences. The loss of both power supply lines causes: x Control rods to drop; x All motor-driven pumps to stop; x All motorised valves to become immobilised, some in safe configurations; x Loss of compressed air, at least after depressurisation of the buffer tanks on certain circuits; x Depletion of batteries and, after an hour, loss of all indications and control in the control room. The fact that the reactor stops due to the control rods dropping helps, initially. Shutdown of reactor coolant pumps fitted with flywheels is provided for in case of emergency shutdown and ensures transition of the coolant to natural circulation. Removal of residual heat can be ensured by means of steam generators supplied by the turbine-driven auxiliary feedwater pump(s), with steam discharged to the atmosphere. On the other hand, the hydrodynamic seals of reactor coolant pumps will rapidly suffer the consequences of shutdown of chemical and volume control system pumps, which inject water at very high pressure into these seals, and shutdown of the component cooling system, which supplies cold water to the thermal barrier which helps protect them. The result is a significant risk that these seals will become damaged and a primary break occur. But the safety injection system is not operative, except for the accumulator tanks, nor is containment spraying. In a few hours, therefore, a very serious accident could occur. It was decided to make certain modifications to installations (Fig. 21) and equipment, and the corresponding operating procedures were added (H3): x Use of the primary system motor-driven test pump8, which has a low flow rate, to establish injection to the reactor coolant pump seals within two minutes. This pump is supplied by a small emergency turbo-generator (LLS), installed on each 1300 MW(e) and 1400 MW(e) unit and driven by steam from the steam generators (each pair of 900 MW(e) units is equipped with a test pump and an LLS); x Maintenance of a minimum of control and instrumentation functions, for control of pressure and temperature in primary and secondary cooling systems, control of primary system refill and speed control of the turbine-driven pump(s) for auxiliary supply of the steam generator and the atmospheric steam relief valves. The small turbo-generator also provides the supplies needed for these. 8 The test pump is used to pressurise the primary system for the regulatory start-up and periodic tests via the reactor coolant pump seal injection lines. 312 Dump to Instrument air atmosphere Tank Turbine-driven AFW pump AFW Tank Atmosphere LLS Turbogenerator Instrumentation G and Control Atmosphere LLS Switchboard M RWST RCS Test Pump Reactor Coolant Pump FIG. 21. Remedying total loss of power situations. If water from the primary cooling system is not being discharged, the pressurizer fills up due to the water injection to the reactor coolant pump seals. The space needed is created by using the steam generators to cool the primary coolant, thereby causing it to contract (at the beginning of this scenario at rated power, primary cooling water, at average temperature 286°C, has a relative density of approximately 0.7; it should be possible therefore to gain around 100 m3). The first studies showed that it would be possible to keep the fuel in a satisfactory condition for 20 hours under these conditions. It proved possible to extend this period even more by optimising procedures and re-supplying the steam generator auxiliary feedwater tank. It should be pointed out that this procedure and the associated equipment make it possible to completely avoid damage to the fuel and significant radioactive release. These periods are now sufficient to re-establish an external power supply from: x A unit in house load operation on the same site; x A neighbouring site; x A nearby hydraulic generator set; x Start-up of the site gas turbine or emergency diesel generator provided to supplement the power supply possibilities of each site to improve availability; x Connection of the back-up electrical switchboards to the diesel generator of a neighbouring unit; x Bypassing the inoperable electrical switchboards by means of the connection harnesses used during routine testing. 313 All units in service are now equipped with these systems and the problems of reliability of the additional equipment are gradually being solved. List of complementary procedures We have just seen in detail three accident situations where probabilistic studies led to additional provisions. These are not the only ones. We shall only discuss the remaining ones quickly, after giving the list of those accompanied by operating procedures: x H1: Loss of the heat sink or systems ensuring heat transfer to it; x H2: Total loss of water supply to steam generators; x H3: Total loss of power; x H4: Loss of the safety injection system or the containment spray system, during the longterm period following a LOCA type accident. x H5: Protection of certain river sites against floods higher than the thousand-year flood. Total loss of the heat sink Available site water reserves, and the procedures used to re-supply the steam generator auxiliary feedwater tank, ensure sufficient time to restore the heat sink, or actuate the systems ensuring heat transfer to it, when the primary cooling system is pressurised. The procedures indicate what to do in various situations, whether the reactor be power operating or shut down. Total loss of the safety injection system or the containment spray system The accident which occurred at the Three Mile Island reactor confirmed the need and also the difficulty of keeping active for months systems rendered inaccessible for maintenance or repair by the radioactivity of the fluid they contain. Probabilistic checks confirmed that the probability of pumping system failure over a period of several months could not be overlooked. The two particular systems involved each had two pumps, one of which was sufficient. These four pumps have similar characteristics. The installation of connections between the two systems ensure mutual back-up. These connections must, of course, be fitted in advance on systems not yet contaminated. Procedure U3 concerns total failure of all pumps. It mainly consists in prefitted connections accessible after a LOCA, enabling use of a pumping system and, if required, a heat exchanger, which are not routine plant equipment but can be brought to the site in the event of an emergency. These devices, together with associated radiation protection provisions, are designed to enable intervention, for example, two weeks after a major primary break. Like the I procedures (for Incident) and A procedures (for Accident), derived from the event-oriented deterministic approach, the goal of the H procedures is to prevent or limit damage to fuel. 314 It is important to bear in mind that, given the manner in which the scenarios and corresponding probabilities are determined, the first three H procedures cover events which are far more likely to occur than major primary or secondary system breaks for example, even though attention was drawn to them at a later date. The H procedures, by organizing in advance optimal use of all equipment provided in the deterministic context or of relatively little additional equipment, make it possible to prevent clad failures in the situations concerned, thereby supporting the first and third levels of defence in depth. 315 Appendix III PREPARATION FOR THE MANAGEMENT OF SEVERE ACCIDENTS Environmental release due to the Three Mile Island accident was very slight owing to the satisfactory performance of the reactor containment. However, both those directly responsible for the plant and the local and federal authorities were unsure for several days how the situation was going to develop and were considering evacuating populations. Finally, it was decided to evacuate only pregnant women, which in fact proved to have been unnecessary. This event made it evident that means had to be provided for the systematic management of such situations should they reoccur despite improved preventive measures. This proved that the reactor containment behave well under conditions well outside the design basis spectrum. This also suggests that when planning to deal with such accidents one needs robust designs and must provide tools for forecast ways in which the situation could develop, indicate corresponding release breakdowns and the paths to the environment under the specific conditions of the accident considered. All authorities concerned would then be able to make timely and well adapted decisions for the protection of populations and the environment. These aspects will be investigated in this and the next two Sections. Before assessing containment behaviour, we have to consider the successive physical phenomena liable to occur in a pressurized water power reactor during what is known as a “severe accident”, i.e. an accident the potential consequences of which exceed those of design basis accidents. Before such conditions could be reached, the fuel would presumably have had to be significantly degraded by more or less complete core meltdown. Core and vessel degradation The sequence of events which would occur under conditions corresponding to the total failure to respond of these two safeguard systems and of other core meltdown prevention procedures are considered further below. Core dewatering There are two categories of primary system drainage situations: x Primary system breaks, causing core dewatering at a relatively low pressure, a few tens of bar at most; x Failure of secondary system cooling procedures, resulting in water and steam dumping through the pressurizer relief valves, inducing core dewatering at high pressure, in the vicinity of the normal operating pressure. Depending on the initial condition, the size of the break, the accident sequence, the safeguard system failure level, dewatering may take from less than a minute to several hours or even days. For example, a 5 cm diameter hole on a main primary system pipe would result in fuel uncovering in 30 minutes if no safety injection were available. 316 Fuel degradation As the water level recedes, the temperature of the uncovered part of the core rises due to the residual power. The zircaloy cladding, which is at a temperature of 350°C or less under normal operating conditions, starts deforming at between 700 and 900°C. If the pressure in the vessel is low, the cladding swells and bursts. If this pressure is high, it collapses onto the fuel pellets, facilitating the formation of a eutectic UO2-Zr which melts at around 1200 to 1400°C. In both these cases, the volatile fission products which have accumulated in the clad-pellet gap are released into the primary system. The zirconium in the cladding oxidises upon contact with the steam. The kinetics of this phenomenon increase rapidly with temperature and double every 50°C. But it must be borne in mind that : x This is an exothermic reaction, generating its own heat as it progresses which means that the phenomenon is also divergent; x The reaction releases hydrogen9 to the primary system and then to the containment. This will considerably reduce the cooling capacity of the steam generators and generate a risk of hydrogen combustion within the containment; x The cladding is embrittled, which accelerates its destruction in the event of a thermal shock. When the fuel pellet temperature increases, the fission product release kinetics increase. At between about 1300 and 2200°C, the control rods constituents (silver, indium and cadmium) melt and vaporise. At around 1800°C, the oxidised part of the cladding will melt and begin to flow. It is not until a temperature of 2700 to 2800°C is reached that, unless a eutectic is formed with the zirconium, that the uranium oxide itself melts, thereby inducing loss of core geometry by local, and then general, collapse. This will give rise to formation of the first corium, which is a molten mass of fuel and structural materials, held in their molten condition by the residual heat of the fission products. Practically all of the most volatile fission products have at this point escaped from the fuel. Vessel degradation The collapse of the core components induces the sudden vaporisation of any water remaining at the bottom of the vessel, more or less closely followed, depending on the primary system pressure, by perforation of the vessel bottom head. This can take a few tens of minutes or several hours. If the primary system is pressurised, the corium may be dispersed on leaving the vessel. This could facilitate a further sudden interaction with any water at the bottom of the vessel. However; in all cases, it is postulated for accident management studies that all the corium collects in the bottom of the vessel. 9 The oxidizing of 1 kilogram of Zircaloy produces about half a cubic meter of hydrogen at normal pressure and temperature. Considering the quantities of zirconium present in each type of installation, this corresponds to the production of about 1 kilogram of hydrogen per MW(e). 317 Basemat erosion The basemat concrete then decomposes under the thermal effects of the residual heat released from the corium, increased to begin with by heat from the oxidation of metals, such as the vessel steel or the remaining zirconium. The free water, bound water and carbon dioxide gas contained in the concrete will be released and penetrate the corium, where they will contribute to the oxidation of any remaining metal materials and the production of hydrogen and carbon monoxide, both of which are combustible. The calcium and silica oxides will be gradually integrated into the corium. As soon as the oxidation reaction is over, the corium will gradually cool. The temperature of the oxide phase containing the main non-volatile radioactive products will stabilise for a long period at between 1300 and 2200°C when a near-equilibrium is reached between the residual heat and the thermal losses at the corium surface and the corium-concrete interface. If a denser metal phase remains, it will contain few radioactive products. It will cool faster and solidify within a few hours, thereby slowing down the progression of the corium. So the fast basemat erosion phase would last about an hour and would correspond to concrete degradation to a depth of about 1 meter (Table XVIII). The rate of degradation would then decrease to a few centimetres per hour, strongly influenced by the specific properties of concrete. Further penetration stops when the corium-concrete interface temperature falls below the concrete decomposition temperature, which is about 1100°C. However, basemat meltthrough is considered almost inevitable. The corium would then stop after penetrating a few meters into the subsoil. As its residual heat decreases and the volume deposited beneath the foundations increases, it then cools by thermal conduction and solidifies. TABLE XVIII. BASEMAT EROSION KINETICS Penetration depth Minimum time Maximum time 2m 0.8 d 1.4 d 3m 1.5 d 2.9 d 4m 2.5 d 2.3 d 5m 3.8 d 6.2 d Complementary studies have been undertaken to investigate basemat fast cracking hazards related to the thermal shock caused by contact with the corium. The Rasmussen report At the request of the American safety authorities, Professor Norman C. Rasmussen of the Massachusetts Institute of Technology (MIT), conducted from 1972 to 1975 a scientific investigation into hazards created by the use of nuclear power reactors. This overall survey based on earlier studies gave a systematic analysis of accident scenarios and was aimed at defining a relationship between accident probabilities and resulting numbers of deaths. The Rasmussen report, published in 1975 under the references WASH 1400 and NUREG 75-014, is still the basis of all PWR severe accident studies. It is also the first example of a probabilistic safety study giving figures for the probable impact on the population. The French Safety Authorities took an immediate interest in this survey, less from the standpoint of the probabilities and consequences for populations, which involve considerable 318 uncertainties, than with regard to the aspects dealing with reactor core degradation and the behaviour of a reactor containment. The Three Mile Island accident obviously further stimulated discussions on these subjects and caused the various nuclear participants in France to move on from theoretical assessments to the implementation of practical measures. That accident clearly demonstrated the value of having a well-designed containment to protect both the public and the environment. The Chernobyl accident, an unfortunate example of core degradation with unconfined radioactive release, only serves to reinforce this conviction. The Rasmussen containment failure mode classification is still used and comprises six main modes: x Mode D: steam explosion in the vessel or reactor pit, inducing loss of containment integrity in the short term; x Mode E: initial or fast-induced loss of integrity; x Mode J: hydrogen explosion; x Mode G: slow over pressurization; x Mode H: basemat melt-through by the corium. Mode V, which bypasses the containment using outgoing pipes, is dealt with separately, since it does not directly concern the behaviour of the containment building. All except mode E, (and Mode V) result eventually in formation of corium and rupture of the reactor pressure vessel, unless the molten fuel becomes dispersed. It should be borne in mind that with the fuel enrichment proportions adopted for nuclear power plants equipped with light water reactors, a chain reaction cannot take place without the right moderator geometry. On the other hand, a very small number of fuel elements, having maintained their geometry while submerged in pure water, can constitute a critical configuration. Whatever the size and geometry of the compact corium, reverting to criticality should not be possible. However, investigations are still proceeding into other possible unforeseen configurations and specific mixtures. The Rasmussen report describes a large number of special sequences, grouped in families, all related to the technology of the American reactors which provided the basis for studies and know-how at that time. Systematic discussion of that work is not relevant here because they do not deal with reactivity accidents characterised by high speed kinetics. Thorough analysis of the Rasmussen report in terms of the French nuclear units started in 1975. It was, from the outset, mainly focused on the definition of a means of limiting the consequences of severe accidents. It was organized around two complementary topics: x Simplified characteristics of types of release; x Analysis of failure modes and provisions to deal with them. 319 Deeper insight together with the probabilistic safety studies enable initial trends to be brought into line with more realistic views and solutions, which will gradually be taken into account. Source terms The institute for protection and nuclear safety (IPSN) sought to characterize specific types of release called “source terms”. A source term is a specific type of release characteristic of a reactor family representative of a type of accident, i.e. in general, a mode of containment failure following complete core meltdown. It is taken into consideration to define appropriate corrective actions for the protection of populations under these extreme emergency conditions. There are three source terms, listed below in decreasing order of seriousness: x Source term S1 corresponds to early containment failure a few hours after onset of the accident; x Source term S2 corresponds to direct release to the atmosphere following loss of containment integrity one or several days after accident initiation; x Source term S3 corresponds to indirect, delayed release to the atmosphere. These studies were underway at the time of the Three Mile Island accident. Provisional values which would have been smoothed became set values, which explains the inappropriate precision of certain figures (Table XIX). As in the Rasmussen survey, assessments were aimed at reality. The purpose here was not to provide a safety demonstration based on penalising assumptions, but to optimise plants where basic design has been definitely adopted or to define organizational procedures for the protection of the general public. However, each source term covers, by definition, a certain number of possible scenarios. The values retained in this context are presented as percentages of the initial activity of the radioactive products present in the reactor core: Modes D, E and J without prevention and mitigation provisions could lead to S1 type release. Mode G could lead to S2 type release. Mode H, loss of containment integrity by basemat melt-through, could lead to S3 type release. TABLE XIX. PERCENTAGE OF RADIOACTIVE PRODUCTS RELEASED TO THE ATMOSPHERE. Source term Noble gases Mineral iodine Organic iodine Caesium Tellurium Strontium Ruthenium Lanthanides and Actinides 320 S1 80 60 0.7 40 8 5 2 0.3 S2 75 2.7 0.55 5.5 5.5 0.6 0.5 0.08 S3 75 0.3 0.55 0.35 0.35 0.04 0.03 0.005 Uncertainties remain as to iodine and aerosol behaviour, despite the continued implementation of large scale experimental research programmes. The gradual improvement of our knowledge in these areas could ultimately modify the source terms presently defined. It would also lead to design optimisation for future reactors where the defence in depth provisions would enhance prevention of substantial radioactive release. Severe accident management studies in France In tandem with the definition of source terms, the French study programmes included examination of each of the Rasmussen degradation modes to determine their relevance to French plants and define ways of lessening the probability or consequences by reinforcing the final containment barrier. For there may be simple means of preserving or restoring containment integrity, but these could only be used under particularly difficult conditions if their implementation had been thoroughly prepared beforehand. The different failure modes were then considered under conditions postulated in the light of the Rasmussen report and discussions on the French standardized power plants. The following scenario was thus postulated, for instance: with primary system cooling no longer assured, the system drains, the core melts and penetrates through the bottom of the vessel in about 2 hours. The basemat is eroded by the corium produced, which finally melts through it. The kinetics of this accident are relatively slow. This scenario could correspond to that of a large primary break compounded by total loss of safety injection and containment spray capability. Incidents or anomalies observed in France show that simultaneous failure of the pumps actuating these two systems is reasonably likely. Several incidents and non-conformance could be possible precursors. An example happened with the sump filter anomaly observed on the 1300 MW(e) units. Incompatible lubricants had been used for the safety injection pump seal oil but was not detected by routine checks. They were detected in the course of inspection or maintenance operations — confirming the importance and efficiency of the latter — and were of course corrected. Such anomalies on their own could not cause a primary system break but could have worsened the effects if one had happened. However, the probability of the type of scenario described would not seem high enough to call into question the design basis of the plants concerned. But, on grounds of defence in depth, we nevertheless do our utmost to improve the possibilities offered for the practical control of such situations, based on realistic scenarios. The Rasmussen containment degradation modes are being re-examined on this basis with a view to determining their plausibility and defining possible improvements in the framework of a given design basis. These studies are based on knowledge which is still very limited. This justifies the organization and pursuance of experimental work in difficult fields. Although results are still pending, decisions nevertheless have to be made. The solutions adopted in this context are consequently not given the same quality level and degree of certainty as were obtained for the original design studies. This is one of the basic characteristics of severe accident management studies. It will obviously evolve as new data becomes available. In 1981, EDF was asked to define ultimate emergency procedures designed to prevent or minimise the radiological consequences of severe accidents. Provisions in this respect have been progressively proposed by the national utility and their principles accepted by the safety 321 authorities. All French plants have now been equipped accordingly. However, greater insight into these questions and continued research could result in further modifications Loss of containment integrity due to a steam explosion The Rasmussen mode D scenario is as follows: a large primary system break occurs and neither the safety injection nor the containment spray systems are operable. After 1 to 2 hours, the core melts and drops either into the bottom of the vessel or through the vessel into the reactor pit. In both cases, if the corium is sufficiently dispersed and if there is water in the bottom of the vessel or of the reactor pit, a steam explosion could occur upon contact with the water, releasing sufficient energy to project missiles which could impair containment integrity. Mode D thus implies considerable dispersion of the fuel for the heat transfer area between the hot fuel and the water to be large enough to cause a steam explosion and also requires a sufficient quantity of water. On the basis of the scenarios described, this occurrence seems highly unlikely, but with the present state of the art, this cannot be demonstrated. Studies are still proceeding, but experts assembled by the OECD considered loss of containment integrity due to this phenomenon to be sufficiently unlikely and this mode was dropped from the French study programmes. It was not until the Chernobyl accident and the reopening of criticality accident study programmes that this mode came back to the forefront in the context of entirely different scenarios (fast introduction into the core of a sufficient volume of non borated water in hot shutdown conditions). The kinetics of the phenomenon are, in any case, too sudden for accident management procedures to be of any assistance. As a result, such severe criticality accidents must be convincingly avoided by preventive measures. Containment isolation faults Containment integrity is monitored continuously monitored by comparing the containment gas injection rate (leaks from compressed gas systems or valve motion in response to use of these gases) with internal pressure changes. Routine tests on the containment penetration isolation valves confirm that they are operating correctly. Pressurisation of the containment at start-up and every ten years enables its leak rate to be compared with the specified values. These provisions should suffice to preclude any serious isolation faults prior to the accident. Leaks can however occur if the automatic isolation of the various penetrations under accident conditions fails to operate correctly or if the air locks are defective. This loss of containment integrity mode, mode E, is extremely important, since it can lead to radioactive release to the environment very early on in the accident. The short time interval involved is not sufficient for radioactive decay and deposition in the containment to play a role, nor for the public authorities to take steps for the short term protection of populations in the immediate vicinity of the plant. In order to deal with such situations, EDF developed its procedure in the event of a containment isolation fault named U2. The purpose of this procedure is to monitor containment integrity under accident conditions, as soon as a certain level of radioactivity is detected in the containment, even for minor accidents, and to identify and localise any defects, providing, if possible, remedial action. This procedure supplements the continuous monitoring of the containment leak rate under normal operating conditions. 322 U2 comprises a set of actions defining: x Containment surveillance conditions, by measuring radioactivity released from the stack, present in the sumps or in peripheral facilities and their ventilation ductwork, and by verification of the condition of isolation valves; x The types of action to be taken, such as confirmation of isolation commands, the localisation of leaks and the determination of how to eliminate them, the containment of a room or, at a later stage, the return of liquid wastes to the reactor building. With all these different precautions, it should be possible to restrict short term release to values defined for design basis accidents. Hydrogen production and combustion In the description of LOCA accidents, we mentioned the risk of a water-zirconium reaction, producing both energy and hydrogen. In the context of 4th category accidents, it is stipulated that clad temperature shall not exceed 1204°C and that the reaction shall not involve more than 1% of the zirconium. In the circumstances considered, since core meltdown is postulated together with formation of corium, it must be assumed that much of the zirconium in the core will have reacted with water and released hydrogen, according to mechanisms described at the beginning of this Section. As long as this hydrogen remains in the primary system, it cannot burn because there is no free oxygen. This is no longer the case if it reaches the containment atmosphere. However, for there to be an explosion, there has to be an appropriate blend of hydrogen, air and steam (see SHAPIRO chart, Fig. 22). Combustion also requires a detonator. Metal corrosion in the containment, radiolysis10 of sump water and corium-concrete interaction are also sources of hydrogen, but the quantities produced by the first two phenomena are slight. Corium-concrete interaction, on the other hand, can produce in 48 hours a quantity of hydrogen equivalent to that resulting from a zirconium reaction. Mode J corresponds to loss of containment integrity due to a hydrogen and carbon monoxide explosion in the reactor containment. In fact, we have to differentiate between two types of fast combustion: deflagration and detonation, the conditions and consequences of which are very different. Deflagration A deflagration is a form of combustion which, once initiated, is propagated through the mixture by gas conduction heating and diffusion of free radicals in the unburned gas area. Propagation occurs at a speed of several meters per second. It can be triggered with relatively low proportions of hydrogen (the SHAPIRO chart gives a threshold of about 4% in dry air). The initiating energy level required is slight, less than 1 milliJoule. A hot spot of about 500°C can trigger spontaneous ignition if there is no steam. On the other hand, beyond a steam concentration of 50 to 60%, there is no risk of deflagration. 10 Radiation-induced decomposition of water into free hydrogen and oxygen. 323 100 Air (% mole) Detonation Limits 80 20 40 60 Deflagration Limits 60 40 1 bar - 30°C 1 bar - 150°C 8 bar - 150°C 20 80 H2O (% mole) 100 100 80 60 40 20 H2 (% mole) FIG. 22. Shapiro chart. Ignitibility limits for the H2–H2O–Air mixture. The mean containment concentrations reached under accident conditions having induced major zirconium-steam reactions are sufficient for hydrogen deflagration providing there is no inerting effect from steam. Such deflagrations occur extremely fast, and long before there has been any significant contribution from the reaction between the corium and the basemat, which means that the two modes of hydrogen production would be disconnected. The immediate or delayed operation of the containment spray system, which will lead to condensation of the steam in the containment, would have a significant effect on triggering a deflagration. If we postulate the combustion of all the hydrogen produced by oxidation of all zirconium present in the vessel in a single deflagration, the maximum instantaneous pressure reached in the containment would not suffice to crack the liner of a 900 MW(e) unit, at least where there are no discontinuities, so overall leak tightness would be preserved. Such an incident could, on the other hand, cause at least transient through-wall cracking in the 1300 MW(e) unit inner containment (the concrete is prestressed), although sufficient margins would be preserved with respect to structural failure. Table XX presents pressures calculated under adiabatic conditions, but also taking into account heat exchanges with the structures, which is more realistic. The effects of concrete thermal stressing are under investigation. It is indispensable to ensure in all cases that isolation valves and electric cable penetrations remain unimpaired. It should be borne in mind that this table is based on two postulates: reaction of all vessel zirconium with the water and combustion of the hydrogen produced in a single deflagration. In the majority of cases, the hydrogen would progressively exit the core soon as it is produced, entrained in the escaping primary fluid. There could then be several successive deflagrations, none of which could cause an over pressure that would damage the containment. 324 TABLE XX. H2 PRODUCTION AND CONTAINMENT CHARACTERISTICS Standardized plant series Free volume (m3) Zircaloy mass (kg) H2 produced by 100% oxidation (TPN m3) Mean H2 concentration in a dry atmosphere Design basis pressure Through-wall cracking limit Collapse limit Maximum deflagration pressure under adiabatic conditions Maximum deflagration pressure with heat exchanges * CP 0 46 000 19 820 9 766 CP 1-2 50 400 21 600 10 651 P4 81 500 27 920 13 765 P’4 70 440 27 920 13 765 N4 73 000 29 660 14 623 19.1% 19.3% 22.8% 17.8% 18.2% 4.7 bar* 5 bar 13 bar 10.7 bar 4.8 bar 7.5 bar 10.4 bar 8.95 bar 5.2 bar 8.1 bar 11.8 bar 9.75 bar 5.3 bar 8.3 bar 11.8 bar 9.75 bar 9.2 bar 7.6 bar 8.3 bar 8.3 bar < 9.2 bar The pressures are indicated in absolute values. It is interesting to note in this connection that the possibility is being considered of equipping containments with an appropriately sized catalytic recombination system for removal of free hydrogen before deflagration concentrations could be reached. Detonation A detonation is a form of combustion occurring at the interface between supersonic shock waves and the unburned gas compression wave, producing a chemical reaction. A detonation implies far higher hydrogen concentrations than a deflagration. The SHAPIRO chart defines the detonation range as between 18 and 55% of hydrogen in dry air. Recent experiments show that the threshold would be lower for very large volumes. The required initiating energy depends on H2 concentration very much. The presence of steam raises both the concentration threshold and the initiating energy requirements. But it is logical to assume that a considerable proportion of the primary system water will be in the containment following core meltdown. At least part of the 300 or 400 m3 of water would certainly be there, in the form of steam, especially if the containment spray system is inoperable. If this system had been working, there would have been a deflagration, and would not apply to a loss of core cooling resulting from major primary coolant leakage outside the containment. But in this case, it would seem probable that the hydrogen would be entrained to the atmosphere, as would the volatile fission products. The 900 MW(e) reactor containment has the highest theoretical hydrogen concentrations. They are located towards the lower detonation limit of the Shapiro chart. They would be diminished by the presence of steam. In the course of experiments, flame acceleration mechanisms have been observed in pipes featuring discontinuities, able to induce transition from deflagration to detonation, but these results are difficult to extrapolate to the dimensions of a containment. Studies are proceeding to determine the characteristic dimension beyond which the phenomenon disappears and also the consequences of a detonation in a bunkered area. 325 1.00E+06 30 % steam Initiation energy in kJ 1.00E+05 20 % steam 1.00E+04 1.00E+03 1.00E+02 10 % steam 1.00E+01 1.00E+00 10 20 30 40 50 60 70 Hydrogen percentage in volume FIG. 23. Energy required to initiate a detonation in an unconfined atmosphere. All things considered, the probability of loss of containment integrity due to hydrogen combustion seems slight. At the present time, no accident provisions are made in this respect. There is consequently no special procedure for these circumstances. However, complementary investigations are still proceeding, notably concerning the conditions under which the various gases mix, the risks of stratification and local hydrogen concentrations and also the degree to which containment strength is affected by the differences in reinforced concrete densities. Slow pressure buildups in the containment Mode G corresponds to a longer term containment failure caused by overheating of the containment atmosphere caused by inefficient removal of fission product energy and the gradual release of very large quantities of gas during damage to the foundations caused by corium melt-through. These gases could also be accompanied by steam from the water used to try and impede the corium advance by cooling it. In these circumstances, the containment pressure could rise steadily, reaching the design basis limit after about 24 hours and then continuing relentlessly beyond. It was decided to deal with the possibility of irremediable loss of containment integrity by over pressure by providing a containment pressure control device, consisting of a filtered venting system designed for use when required: To restrict containment pressure to the design basis value; To reduce by a factor of at least 10 the aerosols contained in the gases released; To route the filtered gases to the stack which is equipped to monitor their radioactivity and facilitate their atmospheric dispersion. 326 The solution adopted consists in using a containment penetration initially intended for depressurisation purposes during acceptance pressure tests and the subsequent routine leak tests. A set of valves, a pressure-reducing device and a sand bed filter package, 42 m2 in face area and 80 cm deep, are fitted between this penetration and the stack. Later on, it was decided to install a prefiltration package inside the containment to solve, among other, radiation protection problems. The U5 procedure “containment depressurization” only would be implemented under severe accident conditions after close consultation with the EDF central services and the public authorities. Early release paths through the basemat The vessel failure postulated in severe accident studies results in the corium falling through to the bottom of the reactor pit. We described at the beginning of this Section various physical events related to erosion by thermal phenomena. Mode H corresponds to basemat “rupture” after its complete melt-through by the corium. This would require between one and several days, depending on the basemat characteristics (4.20 m for the standardized 900 MW(e) units and 3 m for the 1300 and 1400 MW(e) units). This period would allow the decay of short-lived radioactive products and the deposition of many others on the containment walls or in the sump. If the corium fell through the basemat, it would soon stop in the soil beneath, but the groundwater could eventually be polluted by leaching processes11. Solutions include drilling a system of shafts round the affected unit, equipped with pumps to prevent the transfer of contaminated water to bleeding points, rivers or the sea. Any water at the bottom of the containment, injected to try and cool the corium, would be heavily laden with radioactive products and could pour out into the soil through the hole in the basemat, as could the containment gases forced out by the internal pressure. It could prove more difficult to confine such contamination. The atmospheric release would nevertheless be bounded by source term S3. So far, we have not discussed the various holes in the foundations which could be affected by the corium and provide outlets for the pressurised gases in the containment. All light water reactor buildings comprise dynamic testing systems, designed to monitor basemat deformation with time, especially during containment pressurisation for periodic strength and tightness tests. These devices are located 1 m below the basemat surface in the 1300 MW(e) units and 1.70 m below in the 900 MW(e) units (Fig. 24). The 1300 MW(e) units are equipped in addition with a basemat drainage system, located 2 m below the surface. Compensatory measures were consequently defined and were the subject of procedure U4: “handling early release paths through the basemats”. Since then, sealing systems, plugging beneath the reactor pit and permanent obstructions have been installed. No further action is required of the operators on this particular point, so that procedure U4 in fact no longer exists. The modifications installed are aimed at taking advantage of radioactive decay and ground filtration in the event of basemat perforation and extending the time available to make the necessary off-site provisions. 11 Washing of free surfaces leading to extraction of soluble products. 327 Containment spray Tank Containment G J CO2 CO Heat exchanger H2O Sand Filter Stack H2 Fission Products D Filter E Sumps Auxiliary Buildings Ventilation ducts Drains H FIG. 24. Rasmussen containment failure modes. Identification and analysis of other scenarios We have discussed the impact of the Rasmussen report as an initiator of severe accident studies in France and in most of the countries using nuclear power. However, the investigations are not restricted to analysis of the containment failure modes described in the report. We have already mentioned the risks of direct release to the atmosphere due to mishandled steam generator tube break sequences. The possibility of other direct release paths bypassing the containment, is being carefully examined with a view to defining complementary preventive measures and protective actions if and when required. Mode V corresponds to such cases, postulating significant direct leaks in peripheral buildings, due to defective tightness of the safety injection system check valves. Another containment bypass has been identified on French plants. It is related to the fact that the reactor cavity and spent fuel pit cooling and treatment system, which is outside the containment and not pressure-resistant, is connected to the residual heat removal system, which is designed to withstand 40 bar pressures. Structural provisions, together with special surveillance and procedures combine to make this risk sufficiently improbable. Radiological consequences of source term S3 and intervention provisions On the basis of the accident studies presented above and providing the ultimate emergency procedures are implemented, “maximum plausible release” values are bounded by source term S3. The radiological consequences corresponding to this source term have been assessed and population protection measures examined in the light of these consequences. Since we are no longer in a design basis context, the assessment was not based on a recent set of charts derived from the Doury charts, designed to deal with realistic and varied situations. These charts take into account atmospheric stability, wind speed and rain. 328 To calculate them, it was considered that source term S3 could be represented by a scenario involving a sand filter which would enable containment depressurisation within 24 hours, with release beginning 24 hours after onset of the accident. During the first 24 hours, a containment leak rate of 0.3% per day of the mass contained is postulated, with half of this leakage escaping directly to the atmosphere, the other half being recovered and filtered with a 100 factor efficiency. Whole body dose equivalent due to external exposure (Sv) 1 Evacuation almost always justified 0.1 Sheltering almost always justified 3 0.01 1 2 0.001 1 10 100 Distance from the release point (in km) FIG. 25. Radiological consequences due to source term S3. Three types of weather conditions were considered: (1) Normal diffusion, wind of 5 m/s, no rain (ND5d). (2) Normal diffusion, wind of 5 m/s, rain at 1 mm/h (ND5r). (3) Low diffusion, wind of 2 m/s, no rain (LD2). The graphs show results obtained for: x Whole body dose equivalent due to the plume compounded by ground deposits; x Thyroid dose equivalents due to iodine. These results have now to be compared with the possibilities of implementation of protective measures for the general public. For this, we shall consider the recommendations formulated by the International Commission on Radiological Protection before assessing the possibilities of intervention by civil security teams in areas around the sites. ICRP recommendations for accident situations The International Commission for Radiological Protection proposed in its publication 63, released in 1993, a procedure ensuring population protection under accident conditions (Table XXI). The procedure defines intervention levels mainly concerning evacuation and confinement indoors, accompanied by the distribution of stable iodine, but is so devised as to be open to constant improvement. Evacuation, confinement indoors or the administration of stable iodine can obviously involve drawbacks with respect to the physical or psychological well-being of the populations concerned or those assigned with implementing these measures. Such drawbacks also have to be carefully weighed up. The same caution applies when considering restrictions on the consumption of certain foodstuffs. 329 Thyroid dose equivalent (Sv) 10 Evacuation almost systematically justified 1 Sheltering almost systematically justified 3 0.1 1 2 0.01 1 10 100 Distance from the release point (in km) FIG. 26. Radiological consequences due to source term S3. TABLE XXI. ICRP PUBLICATION 63 RECOMMENDATIONS. Intervention level of averted dose Type of intervention Almost always justified Range of optimized values Sheltering 50 mSv Administration of stable iodine 500 mSv(equivalent dose to thyroid) Evacuation (< 1 week) Whole body dose 500 mSv Equivalent dose to skin 5000 mSv Relocation 1000 mSv 5–22 mSv per month for prolonged exposure Restrictions on a single foodstuff 10 mSv (in 1 year) 1000 to 10,000 Bq/kg (E J emitters) 10 to 100 Bq/kg (D emitters) 330 Not more than a factor of 10 lower than the justified value The yardstick for intervention is the dose averted by the implementation of the protective action. The indications in the above table are accompanied by cautious considerations making full allowance for optimization. So the indications on the two graphs representing the radiological consequences associated with source term S3 are to be considered with prudence. Scope of civil security interventions Since the beginning of the eighties, the public authorities have also been working on the definition of realistic ways of implementing protective measures for populations in the vicinity of nuclear sites. They have estimated that, given the characteristics of the French sites, they could implement the following provisions within 12 to 24 hours after the onset of an accident: x Evacuating the population in a 5 km radius round the site; x Sheltering (confinement indoors) of the population in a 5–10 km radius round the site. Complementary measures would, of course, be envisaged for the longer term. It is clear from comparison that this degree of intervention would provide satisfactory protection in the event of a release not exceeding source term S3. The onsite severe accident procedures are consequently consistent with the population protection provisions, with respect to recommendations currently in force. It should also be noted that, since the Chernobyl accident, greater attention is paid to the social and economic disturbances created by longer term problems, such as those resulting from food chain contamination. The foodstuff marketing limits defined by the CEC following this accident are extremely penalising, but have no actual health physics signification. With release corresponding to source term S3, these limits would have to be applied at considerable distances from the damaged plant for more or less long periods of time. This is a preoccupation which will lead to “maximum plausible release” figures being more stringently limited for future reactors. List of ultimate emergency procedures Although its identification initially classifies it in the ultimate emergency series, procedure U3: “use of mobile facilities to back up safety injection and containment spraying”, does not correspond to containment protection after core meltdown. On the contrary, it is designed to prevent or limit this occurrence. As an extension to procedure H4, which provides for mutual backup of the permanently installed pumps used for the low head safety injection and containment spray systems, procedure U3 is used in the event of total loss of these pumps. Basically, it consists of pre-installed connection devices, accessible after an accident, which would enable the use of pumping facilities and a heat exchanger if necessary which are not permanently installed in the units. The capacity of the equipment provided for and the radiological protection afforded would enable intervention 15 days after a large primary break, for example, although it is hoped that this period could be shortened without having to consider the possibility of restoring containment spraying in the short term. The existence of the H4-U3 facilities consequently does not affect the phenomena we have just described, since they are aimed at core meltdown prevention. 331 There are two more procedures: x U2: procedure in the event of a containment isolation fault. x U5: containment depressurisation. Summary of procedures Table XXII summarizes the relationship between the various categories of operating conditions and the procedures and provisions to contend with them. This only applies to 900MW(e) units nowadays, as French 1300 MW(e) and 1400 MW(e) units are now equipped with a global symptom oriented approach which covers the complete area without discontinuity. In the future, the 900 MW(e) units will benefit from the same system. In addition to these procedures, the severe accident intervention guide used by the emergency teams resolves possible contradictions between actions required by the different procedures. In order to safeguard the reactor core, water has to be injected by all available means to flood the fuel, even though this water can have undesirable effects on the containment pressure level. Similarly, restarting containment spraying will lower the steam concentration but could have adverse effects with regard to deflagration hazards. The guide indicates current thinking in this area and advises operators accordingly. It also contains decision elements as to whether procedure U5 should be used. TABLE XXII. PROCEDURE APPLICATION RANGES. Order of magnitude Design basis of frequencies operating range. or probabilities Estimated frequencies of initiating events Likely or frequent 10-2 to 1 10-4 to 10-2 10-6 to 10-4 < 10-6 Complementary operating range. Realistic probabilities Ultimate procedure application range I A A U1 U2 H U1 U2 H U1 U2 U3 U4 U5 Internal emergency plan The actions described above are part of a more comprehensive plan, broadly applicable to all nuclear installations and known as the Internal Emergency Plan. This plan provides the link between the damaged plant and the outside emergency teams whose action is organized by the external emergency plan. The internal emergency plan is applied on the site under the responsibility of the operating organization. 332 Its main purposes are to ensure: x x x x Plant control and safeguards; Emergency aid for any site casualties; Protection for site personnel; Warning and information of the public authorities. The local crisis organization is conducted from: x x x x x A decision centre, the plant management control station; Three operational centres; The local unit control station, in the control room; The site radiological monitoring control station; The site logistic control station (transport, fluids, etc.). This plan is co-ordinated with the off-site action plans by means of three mutually adopted levels of application: x Level 1 : Accident without radiological hazards but requiring assistance from outside emergency teams; x Level 2 : Accident with radiological hazards confined to the site; x Level 3 : Radiological accident involving or liable to involve health consequences beyond the site. 333 Appendix IV LIST OF THE IAEA SAFETY REQUIREMENTS AND GUIDES 1. Governmental organization GS-R-1 Legal and governmental infrastructure for nuclear, radiation, radioactive waste and transport safety GS-G-1.1 Safety Guides Organization and staffing of the regulatory body for nuclear facilities GS-G-1.2 Review and assessment of nuclear facilities by the regulatory body GS-G-1.3 Regulatory inspection of nuclear facilities and enforcement by the regulatory body In preparation Documentation to be produced or required in regulating nuclear facilities 50-SG-G6 Preparedness of public authorities for emergencies at nuclear power plants 2. Siting 50-C-S (Rev. 1) Code on the safety of nuclear power plants: siting 50-SG-S1 Safety Guides Earthquakes and associated topics in relation to nuclear power plant siting 50-SG-S3 Atmospheric dispersion in nuclear power plant siting 50-SG-S4 Site selection and evaluation for nuclear power plants with respect to population distribution 50-SG-S5 External man-induced events in relation to nuclear power plant siting 50-SG-S6 Hydrological dispersion of radioactive material in relation to nuclear power plant siting 50-SG-S7 Nuclear power plant siting: hydrogeological aspects 50-SG-S8 Safety aspects of the foundations of nuclear power plants 50-SG-S9 Site survey for nuclear power plants 50-SG-S10A Design basis flood for nuclear power plants on river sites 50-SG-S10B Design basis flood for nuclear power plants on coastal sites 334 50-SG-S11A Extreme meteorological events in nuclear power plant siting, excluding tropical cyclones 50-SG-S11B Design basis tropical cyclone for nuclear power plants 3. Design NS-R-1 Code on the safety of nuclear power plants: design NS-G-1.1 Safety Guides Software for computer based systems important to safety in nuclear power plants NS-G-1.2 Safety assessment and verification for nuclear power plants NS-G-1.3 Instrumentation and control systems important to safety in nuclear power plants 50-SG-D2 (Rev.1) Fire Protection in nuclear power plants 50-G-D4 Protection against internally generated missiles and their secondary effects in nuclear power plants 50-SG-D5 (Rev. 1) External man-induced events in relation to nuclear power plant design 50-SG-D6 Ultimate heat sink and directly associated heat transport systems for nuclear power plants 50-SG-D7 (Rev. 1) Emergency power systems at nuclear power plants 50-SG-D9 Design aspects of radiation protection for nuclear power plants 50-SG-D10 Fuel handling and storage systems in nuclear power plants 50-SG-D12 Design of the reactor containment systems in nuclear power plants 50-SG-D13 Reactor coolant and associated systems in nuclear power plants 50-SG-D14 Design for reactor core safety in nuclear power plants 50-SG-D15 Seismic design and qualification for nuclear power plants 335 4. Operation NS-R-2 Safety of nuclear power plants: operation Safety Guides NS-G-2.1 Fire safety in operation of nuclear power plants NS-G-2.2 Operational limits and conditions for nuclear power plants NS-G-2.3 Modifications to nuclear power plants NS-G-2.4 The operating organization for nuclear power plants NS-G-2.5 Safety aspects of core management and fuel handling for nuclear power p NS-G-2.6 Maintenance, surveillance and in-service inspection in nuclear power plants 50-SG-O1 (Rev. 1) Staffing of nuclear power plants and the recruitment, training and authorization of operating personnel NS-G-2.7 Radiation protection and radioactive waste management in the operation of nuclear power plants 50-SG-O4 Commissioning procedures for nuclear power plants 50-SG-O6 Preparedness of the operating organization (licensee) for emergencies at nuclear power plants 50-SG-O12 Periodic safety review of operational nuclear power plants 5. Quality assurance 50-C/SG-Q 336 Quality assurance for safety in nuclear power plants and nuclear installations: Code and Safety Guides Q1–Q14 50-SG-Q1 Establishing and implementing a quality assurance programme 50-SG-Q2 Non-conformance control and corrective actions 50-SG-Q3 Document control and records 50-SG-Q4 Inspection and testing for acceptance 50-SG-Q5 Assessment of the implementation of the quality assurance programme 50-SG-Q6 Quality assurance in procurement of items and services 50-SG-Q7 Quality assurance in manufacturing 50-SG-Q8 Quality assurance in research and development 50-SG-Q9 Quality assurance in siting 50-SG-Q10 Quality assurance in design 50-SG-Q11 Quality assurance in construction 50-SG-Q12 Quality assurance in commissioning 50-SG-Q13 Quality assurance in operation 50-SG-Q14 Quality assurance in decommissioning Safety practices 50-P-1 Application of the single failure criterion 50-P-2 In-service inspection of nuclear power plants: A manual 50-P-3 Data collection and record keeping for the management of nuclear power plant ageing 50-P-4 Procedures for conducting probabilistic safety assessments of nuclear power plants (Level 1) 50-P-5 Safety assessment of emergency power systems for nuclear power plants 50-P-6 Inspection of fire protection measures and fire fighting capability at nuclear power plants 50-P-7 Treatment of external hazards in probabilistic safety assessment for nuclear power plants 50-P-8 Procedures for conducting probabilistic safety assessments of nuclear power plants (Level 2): accident progression, containment analysis and e of accident source terms 50-P-9 Evaluation of fire hazard analyses for nuclear power plants 50-P-10 Human reliability analysis in probabilistic safety assessment for nuclear power plants 50-P-11 Assessment of the overall fire safety arrangements at nuclear power plants 50-P-12 Procedures for conducting probabilistic safety assessments of nuclear power plants (Level 3): off-site consequences and estimation of risks to the public 337 APPENDIX V — LIST OF FINNISH YVL GUIDES General guides YVL 1.0 YVL 1.1 YVL 1.2 YVL 1.3 YVL 1.4 YVL 1.5 YVL 1.6 YVL 1.7 YVL 1.8 YVL 1.9 YVL 1.11 YVL 1.13 YVL 1.14 YVL 1.15 YVL 1.16 Systems YVL 2.1 YVL 2.2 YVL 2.3 YVL 2.4 YVL 2.5 YVL 2.6 YVL 2.7 YVL 2.8 Safety criteria for design of nuclear power plants, 12 January 1996 Finnish Centre for Radiation and Nuclear Safety as the regulatory authority for the use of nuclear energy, 27 January 1992 Documents pertaining to safety control of nuclear facilities, 11 September 1995 Mechanical components and structures of nuclear power facilities. Inspection licences, 22 October 1996 (in Finnish) Quality assurance of nuclear power plants, 20 September 1991 Reporting nuclear power plant operation to the Finnish Centre for Radiation and Nuclear Safety, 1 January 1995 Nuclear power plant operator licensing, 9 October 1995 Functions important to nuclear power plant safety, and training and qualification of personnel, 28 December 1992 Repairs, modifications and preventive maintenance at nuclear facilities, 2 October 1986 Quality assurance during operation of nuclear power plants, 13 November 1991 Nuclear power plant operating experience feedback, 22 December 1994 Nuclear power plant outages, 9 January 1995 Mechanical components and structures of nuclear facilities, control of manufacturing, , 4 October 1999 (in Finnish) Mechanical components and structures in nuclear installations, construction inspection, 19 December 1995 (in Finnish) Control of nuclear liability insurance policies, 22 March 2000 (in Finnish). Safety classification of nuclear power plant systems, structures and components, 22 May 1992 Transient and accident analyses for justification of technical solutions at nuclear power plants, 18 January 1996 Preinspection of nuclear power plant systems, 14 August 1975 Primary and secondary circuit pressure control at a nuclear power plant, 18 January 1996 Pre-operational and start-up testing of nuclear power plants, 8 January 1991 Provision against earthquakes affecting nuclear facilities, 19 December 1988 Ensuring a nuclear power plant’s safety functions in provision for failures, 20 May 1996 Probabilistic safety analyses (PSA), 20 December 1996 Pressure vessels YVL 3.0 Regulatory control of pressure vessels in nuclear facilities. General guidelines, 11 September 1996 YVL 3.1 Construction plan for nuclear facility pressure vessels, 27 May 1997 (in Finnish) YVL 3.3 Pressure vessels of nuclear facilities. Piping, 4 December 1996 (in Finnish) 338 YVL 3.4 YVL 3.7 YVL 3.8 YVL 3.9 Nuclear power plant pressure vessels. Manufacturer’s competence, 16 December 1996 (in Finnish) Pressure vessels of nuclear facilities. Commissioning inspection, 12 December 1991 Nuclear power plant pressure vessels. Inservice inspections, 13 December 1993 Nuclear power plant pressure vessels. Construction and welding filler materials, 6 April 1995 (in Finnish) Buildings and structures YVL 4.1 Concrete structures for nuclear facilities, 22 May 1992 YVL 4.2 Steel structures for nuclear facilities, 19 January 1987 YVL 4.3 Fire protection at nuclear facilities, 1st November 1999 Other structures and components YVL 5.1 Nuclear power plant diesel generators and their auxiliary systems, 23 January 1997 (in Finnish) YVL 5.2 Nuclear power plant electrical systems and equipment, 23 January. 1997 (in Finnish) YVL 5.3 Regulatory control of nuclear facility valves and their actuators, 7 February 1991 YVL 5.4 Supervision of safety relief valves in nuclear facilities, 6 April 1995 (in Finnish) YVL 5.5 Supervision of electric and instrumentation systems and components at nuclear facilities, 7 June 1985 YVL 5.6 Ventilation systems and components of nuclear power plants, 23 November 1993 YVL 5.7 Pumps at nuclear facilities, 23 November 1993 (in Finnish) YVL 5.8 Hoisting appliances and fuel handling equipment at nuclear facilities, 5 January 1987 Nuclear materials YVL 6.1 Control of nuclear fuel and other nuclear materials required in the operation of nuclear power plants, 19 June 1991 YVL 6.2 Fuel design limits and general design criteria, 1 November 1993 YVL 6.3 Supervision of fuel design and manufacture, 15 September 1993 YVL 6.4 Transport packages for nuclear material and waste, 9 October 1995 YVL 6.5 Supervision of nuclear fuel transport, 12 October 1995 (in Finnish) YVL 6.6 Surveillance of nuclear fuel performance, 5 November 1990 YVL 6.7 Quality assurance of nuclear fuel, 23 November 1993 YVL 6.8 Handling and storage of nuclear fuel, 13 November 1991 YVL 6.9 The national system of accounting for and control of nuclear material, 23 September 1999 (in Finnish) YVL 6.10 Reports to be submitted on nuclear materials, 23 September 1999 (in Finnish) YVL 6.11 Physical protection of nuclear power plants, 13 July 1992 (in Finnish) YVL 6.21 Physical protection of nuclear fuel transports, 15 Feb. 1988 (in Finnish) Radiation protection YVL 7.1 YVL 7.2 Limitation of public exposure in the environment of and limitation of radioactive releases from nuclear power plants, 14. December 1992 Evaluation of population doses in the vicinity of a nuclear power plant, 23 January 1997 (in Finnish) 339 YVL 7.3 YVL 7.4 YVL 7.5 YVL 7.6 YVL 7.7 YVL 7.8 YVL 7.9 YVL 7.10 YVL 7.11 YVL 7.18 Evaluation of models for calculating the dispersion of radioactive substances from nuclear power plants, 23 January 1997 (in Finnish) Nuclear power plant emergency response arrangements, 23 January 1997 (in Finnish) Meteorological measurements of nuclear power plants, 28 December 1990 Monitoring of discharges of radioactive substances from nuclear power plants, 13 July 1992 Radiation monitoring in the environment of nuclear power plants, 11 December 1995 Environmental radiation safety reports of nuclear power plants, 11 December 1995 (in Finnish) Radiation protection of nuclear power plant workers, 14 December 1992 Monitoring of occupational exposure at nuclear power plants, 29 August 1994 Radiation monitoring systems and equipment for nuclear power plants, 20 December 1996 (in Finnish) Radiation protection in the design of nuclear power plants, 20 December 1996 (in Finnish) Radioactive waste management YVL 8.1 YVL 8.2 YVL 8.3 Disposal of reactor waste, 20 September 1991 Exemption from regulatory control of nuclear wastes, 19 March 1992 Treatment and storage of radioactive waste at a nuclear power plant, 20 August 1996 The YVL-guides without any language marking are available both in English and Finnish. 340 Appendix VI IAEA INTERNATIONAL NUCLEAR EVENTS SCALE (INES) General description of the scale: The International Nuclear Event Scale (INES) is a means for promptly communicating to the public in consistent terms the safety significance of events reported at nuclear installations. By putting events into proper perspective, the Scale can ease common understanding among the nuclear community, the media, and the public. It was designed by an international group of experts convened jointly in 1989 by the International Atomic Energy Agency (IAEA) and the Nuclear Energy Agency (NEA) of the Organization for Economic Co-operation and Development. The Scale also reflects the experience gained from the use of similar scales in France and Japan as well as from consideration of possible scales in several other countries. 341 x The Scale was initially applied for a trial period to classify events at nuclear power plants and then extended and adapted to enable it to be applied to any event associated with radioactive material and/or radiation and to any event occurring during transport of radioactive material. It is now operating successfully in over 60 countries. The INES Information Service, the communication network built up on request receives from and disseminates to the INES National Officers of 60 Member States, Event Rating Forms that provide authoritative information related to nuclear events. Event Rating Forms are circulated when events are significant for: x Operational safety (INES level 2 and above). x Public interest (INES level 1 and below). The communication process has therefore led each participating country to set up a structure which ensures that all events are promptly rated using the INES rating procedure to facilitate communication whenever they have to be reported outside. Events are classified on the Scale at 7 levels; the upper levels (4–7) are termed accidents and the lower levels (1–3) incidents. Events which have no safety significance are classified below scale at level 0 and are termed “deviations”. Events which have no safety relevance are termed “out of scale”. The structure of the Scale is shown opposite, in the form of a matrix with key words. Each level is defined in detail within the INES User’s Manual. Events are considered in terms of three safety attributes or criteria represented by each of the columns: off-site impact, on-site impact, and defence-in-depth degradation. The second column in the matrix relates to events resulting in off-site releases of radioactivity. Since this is the only consequence having a direct effect on the public, such releases are understandably of particular concern. Thus, the lowest point in this column represents a release giving the critical group an estimated radiation dose numerically equivalent to about one-tenth of the annual dose limit for the public; this is classified as level 3. Such a dose is also typically about one-tenth of the average annual dose received from natural background radiation. The highest level is a major nuclear accident with widespread health and environmental consequences. The third column considers the on-site impact of the event. This category covers a range from level 2 (contamination and/or overexposure of a worker) to level 5 (severe damage to the reactor core or radiological barriers). All nuclear facilities are designed so that a succession of safety layers act to prevent major on-site or off-site impact and the extent of the safety layers provided generally will be commensurate with the potential for on- and off-site impact. These safety layers must all fail before substantial off-site or on-site consequences occur. The provision of these safety layers is termed “defence-in-depth”. The fourth column of the matrix relates to incidents at nuclear installations or during the transportation of radioactive materials in which these defence-indepth provisions have been degraded. This column spans the incident levels 1–3. An event which has characteristics represented by more than one criterion is always classified at the highest level according to any one criterion. 342 Events which do not reach the threshold of any of the criteria are rated below scale at level 0. The back page of this leaflet gives typical descriptions of events at each level together with examples of the classification of nuclear events which have occurred in the past at nuclear installations. Using the Scale x The detailed rating procedures are provided in the INES User’s Manual. This leaflet should not be used as the basis for rating events as it only provides examples of events at each level, rather than actual definitions. x Although the Scale is designed for prompt use following an event, there will be occasions when a longer time-scale is required to understand and rate the consequences of an event. In these rare circumstances, a provisional rating will be given with confirmation at a later date. It is also possible that as a result of further information, an event may require reclassification. x The Scale does not replace the criteria already adopted nationally and internationally for the technical analysis and reporting of events to Safety Authorities. Neither does it form a part of the formal emergency arrangements that exist in each country to deal with radiological accidents. x Although the same Scale is used for all installations, it is physically impossible at some types of installation for events to occur which involve the release to the environment of considerable quantities of radioactive material. For these installations, the upper levels of the Scale would not be applicable. These include research reactors, unirradiated nuclear fuel treatment facilities, and waste storage sites. x The Scale does not classify industrial accidents or other events which are not related to nuclear or radiological operations. Such events are termed “out of scale”. For example, although events associated with a turbine or generator can affect safety related equipment, faults affecting only the availability of a turbine or generator would be classified as out of scale. Similarly, events such as fires are to be considered out of scale when they do not involve any possible radiological hazard and do not affect the safety layers. x The Scale is not appropriate as the basis for selecting events for feedback of operational experience, as important lessons can often be learnt from events of relatively minor significance.It is not appropriate to use the Scale to compare safety performance among countries. Each country has different arrangements for reporting minor events to the public, and it is difficult to ensure precise international consistency in rating events at the boundary between level 0 and level 1. The statistically small number of such events, with variability from year to year, makes it difficult to provide meaningful international comparisons. x Although broadly comparable, nuclear and radiological safety criteria and the terminology used to describe them vary form country to country. The INES has been designed to take account of this fact. 343 Examples of rated nuclear events x The 1986 accident at the Chernobyl nuclear power plant in the Soviet Union (now in Ukraine) had widespread environmental and human health effects. It is thus classified as Level 7. x The 1957 accident at the Kyshtym reprocessing plant in the Soviet Union (now in Russia) led to a large off-site release. Emergency measures including evacuation of the population were taken to limit serious health effects. Based on the off-site impact of this event it is classified as Level 6. The 1957 accident at the air-cooled graphite reactor pile at Windscale (now Sellafield) facility in the United Kingdom involved an external release of radioactive fission products. Based on the off-site impact, it is classified as Level 5. x The 1979 accident at Three Mile Island in the USA resulted in a severely damaged reactor core. The off-site release of radioactivity was very limited. The event is classified as Level 5, based on the on-site impact. x The 1973 accident at the Windscale (now Sellafield) reprocessing plant in the United Kingdom involved a release of radioactive material into a plant operating area as a result of an exothermic reaction in a process vessel. It is classified as Level 4, based on the onsite impact. x The 1980 accident at the Saint-Laurent nuclear power plant in France resulted in partial damage to the reactor core, but there was no external release of radioactivity. It is classified as Level 4, based on the on-site impact. x The 1983 accident at the RA-2 critical assembly in Buenos Aires, Argentina, an accidental power excursion due to non-observance of safety rules during a core modification sequence, resulted in the death of the operator, who was probably 3 or 4 metres away. Assessments of the doses absorbed indicate 21 Gy for the gamma dose together with 22 Gy for the neutron dose. The event is classified as Level 4, based on the on-site impact. x The 1989 incident at the Vandellos nuclear power plant in Spain did not result in an external release of radioactivity, nor was there damage to the reactor core or contamination on site. However, the damage to the plant’s safety systems due to fire degraded the defence-in-depth significantly. The event is classified as Level 3, based on the defence-indepth criterion. x The vast majority of reported events are found to be below Level 3. Although no examples of these events are given here, countries using the Scale may individually wish to provide examples of events at these lower levels. 344 Basic Structure of the Scale(Criteria given in matrix are broad indicators only)Detailed definitions are provided in the INES User’s Manual CRITERIA OR SAFETY ATTRIBUTES OFF-SITE IMPACT 7 MAJOR ACCIDENT 6 SERIOUS ACCIDENT 5 ACCIDENT WITH OFFSITE RISK 4 ACCIDENT WITHOUT SIGNIFICANT OFFSITE RISK 3 SERIOUS INCIDENT MAJOR RELEASE: WIDESPREAD HEALTH AND ENVIRONMENTAL EFFECTS SIGNIFICANT RELEASE: LIKELY TO REQUIRE FULL IMPLEMENTATION OF PLANNED COUNTERMEASURES LIMITED RELEASE: LIKELY TO REQUIRE PARTIAL IMPLEMENTATION OF PLANNED COUNTERMEASURES MINOR RELEASE: PUBLIC EXPOSURE OF THE ORDER OF PRESCRIBED LIMITS VERY SMALL RELEASE: PUBLIC EXPOSURE AT A FRACTION OF PRESCRIBED LIMITS 2 INCIDENT ON-SITE IMPACT SEVERE DAMAGE TO REACTOR CORE/ RADIOLOGICAL BARRIERS SIGNIFICANT DAMAGE TO REACTOR CORE/ RADIOLOGICAL BARRIERS/FATAL EXPOSURE OF A WORKER SEVERE SPREAD OF CONTAMINATION/AC UTE HEALTH EFFECTS TO A WORKER SIGNIFICANT SPREAD OF CONTAMINATION/OV ER EXPOSURE OF A WORKER 1 ANOMALY 0 DEVIATION DEFENCE-IN-DEPTH DEGRADATION NEAR ACCIDENT NO SAFETY LAYERS REMAINING INCIDENTS WITH SIGNIFICANT FAILURES IN SAFETY PROVISIONS ANOMALY BEYOND THE AUTHORIZED OPERATING REGIME NO SAFETY SIGNIFICANCE 345 The International Nuclear Event Scale For prompt communication of safety significance LEVEL/DESCRI PTOR 7 ACCIDENTS MAJOR ACCIDENT 6 SERIOUS ACCIDENT 5 ACCIDENT WITH OFFSITE RISK 4 ACCIDENT WITHOUT SIGNIFICAN T OFF-SITE RISK 3 INCIDENT SERIOUS INCIDENT 2 INCIDENT 1 ANOMALY DEVIATIONS 0 BELOW SCALE NATURE OF THE EVENTS EXAMPLES · External release of a large fraction of the radioactive material in a large facility (e.g. the core of a power reactor). This would typically involve a mixture of short and long-lived radioactive fission products (in quantities radiologically equivalent to more than tens of thousands of terabecquerels of iodine-131). Such a release would result in the possibility of acute health effects; delayed health effects over a wide area, possibly involving more than one country; long-term environmental consequences. · External release of radioactive material (in quantities radiologically equivalent to the order of thousands to tens of thousands of terabecquerels of iodine-131). Such a release would be likely to result in full implementation of countermeasures covered by local emergency plans to limit serious health effects. · External release of radioactive material (in quantities radiologically equivalent to the order of hundreds to thousands of terabecquerels of iodine-131). Such a release would be likely to result in partial implementation of countermeasures covered by emergency plans to lessen the likelihood of health effects.· Severe damage to the installation. This may involve severe damage to a large fraction of the core of a power reactor, a major criticality accident or a major fire or explosion releasing large quantities of radioactivity within the installation. · External release of radioactivity resulting in a dose to the critical group of the order of a few millisieverts.* With such a release the need for off-site protective actions would be generally unlikely except possibly for local food control.· Significant damage to the installation. Such an accident might include damage leading to major on-site recovery problems such as partial core melt in a power reactor and comparable events at non-reactor installations.· Irradiation of one or more workers resulting in an overexposure where a high probability of early death occurs. Chernobyl NPP, USSR (now in Ukraine), 1986 · External release of radioactivity resulting in a dose to the critical group of the order of tenths of millisievert.* With such a release, off-site protective measures may not be needed. On-site events resulting in doses to workers sufficient to cause acute health effects and/or an event resulting in a severe spread of contamination for example a few thousand terabecquerels of activity released in a secondary containment where the material can be returned to a satisfactory storage area.· Incidents in which a further failure of safety systems could lead to accident conditions, or a situation in which safety systems would be unable to prevent an accident if certain initiators were to occur. · Incidents with significant failure in safety provisions but with sufficient defence-in-depth remaining to cope with additional failures. These include events where the actual failures would be rated at level 1 but which reveal significant additional organizational inadequacies or safety culture deficiencies.· An event resulting in a dose to a worker exceeding a statutory annual dose limit and/or an event which leads to the presence of significant quantities of radioactivity in the installation in areas not expected by design and which require corrective action. · Anomaly beyond the authorized regime but with significant defence-in-depth remaining. This may be due to equipment failure, human error or procedural inadequacies and may occur in any area covered by the scale, e.g. plant operation, transport of radioactive material, fuel handling, waste storage. Examples include: breaches of technical specifications or transport regulations, incidents without direct safety consequences that reveal inadequacies in the organizational system or safety culture, minor defects in pipework beyond the expectations of the surveillance programme. · Deviations where operational limits and conditions are not exceeded and which are properly managed in accordance with adequate procedures. Examples include: a single random failure in a redundant system discovered during periodic inspections or tests, a planned reactor trip proceeding normally, spurious initiation of protection systems without significant consequences, leakages within the operational limits, minor spreads of contamination within controlled areas without wider implications for safety culture. Kyshtym Reprocessing Plant, USSR(now in Russia), 1957 Windscale Pile, UK, 1957 Three Mile Island, NPP, USA, 1979 Windscale Reprocessing Plant, UK, 1973 Saint-Laurent NPP, France, 1980 Buenos Aires, Critical Assembly, Argentina, 1983 Vandellos NPP, Spain, 1989 NO SAFETY SIGNIFICANCE *The doses are expressed in terms of effective dose equivalent (whole dose body). Those criteria where appropriate can also be expressed in terms of corresponding annual effluent discharge limits authorized by National authorities. 346 Appendix VII REGULATORY CONTROL OF NUCLEAR POWER PLANTS — SYLLABUS AND EXAMPLE COURSE PROGRAMME (KARLSRUHE, 2000) REGIONAL TRAINING COURSE ON REGULATORY CONTROL OF NPPs: SYLLABUS 1. 1.1 1.2. 1.3. 1.4. 1.5. 1.6. 1.7. 1.8. LEGISLATIVE AND REGULATORY FRAMEWORK IAEA approach IAEA Safety Standards International conventions Legislative and statutory framework Scope of legislation Regulatory guidance Safety criteria for nuclear power plants Country specific examples 2. 2.1. 2.2. 2.3. 2.4. 2.5. 2.6. 2.7. REGULATORY BODY IAEA approach Responsibilities and functions of the regulatory body Organization and duties of the regulatory body Licensing of a nuclear power plant Quality assurance, self-assessment and performance reviews Professionalism and training of the staff of the regulatory body Country specific examples 3. 3.1. 3.2. 3.3. 3.4. 3.5. 3.6. 3.7. ASSESSMENT OF SAFETY IAEA approach Stages of assessment Assessment methodology3 Assessment of modifications Assessment of operational experience in-house and worldwide Periodic safety review assessments Country specific examples 4. 4.1. 4.2. 4.3. 4.4. 4.5 4.6. 4.7. INSPECTION ACTIVITIES IAEA approach Inspection programme, types of inspections Inspection guidance Implemention, methods of checking for compliance Reporting results of inspections Actions in response to non-compliance with regulatory requirements Country specific examples 5. 5.1. 5.2 5.3 5.4 5.5. DOCUMENTATION IAEA approach Documents generated within an authorization process Documents generated by the operator Documents generated by the regulatory body Use and updating procedures for licence document 347 5.6. Country specific examples 6. 6.1 6.2. 6.3. 6.4. 6.5. 6.6. 6.7. DEVELOPING SAFETY IAEA approach to safety culture Interface of regulator and operator The role of regulator in developing safety Assessment: detecting incipient weaknesses Use of risk insights The role of safety research Country specific examples 7. 7.1. 7.2. 7.3. 7.4. 7.5. 7.6. 7.7. EMERGENCY ARRANGEMENTS IAEA approach to emergency response Monitoring and assessment Intervention Plans, resources and equipment Training and exercises Communication Country specific examples 8. 8.1. 8.2. 8.3. 8.4. 8.5. 8.6. 8.7. COMMUNICATION WITH THE PUBLIC IAEA approach to nuclear communications Role of regulatory body Reporting operating events INES classification Tools and methods Crisis communication Country specific examples 9. TECHNICAL VISIT (highlight areas of inspection interest) 348 349 4.30– 5.00 3.40 4.30 2.403.30 Coffee 1.30 2.20 Lunch 11.4012.30 10.4011.30 Coffee 9.3010.20 8.30 9.20 TIME Participant presentation 25 min Group work on international standards and conventions, Aro, Stoiber Regulatory body Professionalism and training of the regulatory staff (75 min) Aro Cont Group work on participant Highlights from Monday issues, (4.40–6.00) (2 participants) Burkart, Schrammel 6.00 Welcome party Regulatory body National practices in Germany Schatke Regulatory Framework National practices in Germany Schatke Regulatory Framework Regulatory body IAEA Requirements and guidance Delattre Routine interaction between authority, TÜV and NPP: Contents, modes, levels, responsibilities, documents Reg. body, TÜV, GKN Practical aspects of inspections: Preparation, Implementation, Support, Evaluation, conclusions and consequences, Reporting Regulatory body, TÜV, GKN Highlights from Tuesday and Wednesday (4 participants) Cont. Group Work on developing safety Aro, Stoiber, Roth, Reiman Reiman The use of risk insights in the Finnish Regulatory Body Highlights from Thursday (2 participants) Cont. Examples of Regulatory Guidance US NRC regulatory guidance Stoiber Group Work on regulatory approaches and practices in different countries Aro, Stoiber, Reiman REGIONAL TRAINING COURSE ON REGULATORY CONTROL OF NPPs, KARLSRUHE, GERMANY, 14–25 MAY 2001 Week 1 MONDAY, 14.05.01 TUESDAY, 15.05.01 WEDNESDAY, 16.05.01 THURSDAY, 17.05.01 FRIDAY, 18.05.01 Regulatory Body Course Opening Regulatory approach and IAEA Safety Standards Regulatory body/operator Visit to NPP (GKN) organization in Finland interface Welcome, Plant features Burkart, Aro Splitting up into groups Reiman Aro Entrance procedures Reiman Quality assurance in the Guidance on detecting „Inspection“ of the plant: Safety Fundamentals: Basic Safety related international regulatory body; Internal weaknesses in safety and how Containment, Control room Safety Objectives conventions quality manual, national to react Turbine hall, Overview from experiences top of cooling tower Aro Delattre Reiman Reiman Regulatory Guidance Regulatory Framework Convention on Nuclear Safety Qualification requirements Cont. German experiences to Objectives, procedures for promote safety for NPP personnel in development, Germany IAEA Guidance Stoiber Roth Götz Kalinowski Examples of Regulatory Regulatory body Cont. Cont. Risk informed regulation in Governmental organization Guidance the USA for nuclear safety in USA KTA Nuclear Safety Standards Stoiber Stoiber Stoiber Kalinowski 350 Lipar, Burkart Cont. Highlights from Monday (2 participants) Libmann Inspection Activities IAEA guidance Hughes Highlights from Friday (2 participants) 4.30–5.00 3.40–4.30 2.20–3.30 Safety assessment Periodic safety review Libmann Developing safety in France 1.30 2.20 Coffee Examples of licensing documents: Emergency manual Gessler Group Work Case studies for assessment/ licensing Libmann Lunch Participant presentation on FSAR and regulatory documents (25 min) Regulatory Documents Examples of licensing documents: Quality assurance manual Ritter Assessment of Safety Assessment of plant modifications Lipar Cont. Updating of documents (25 min) Lipar Operational experience feedback Hughes Documentation in the regulatory body IAEA guidance Assessment of Safety IAEA guidance Stages of assessment Hughes 11.40– 12.30 10.40– 11.30 Coffee 9.30– 10.20 8.30 9.20 TIME Highlights from Tuesday (2 participants) Cont. Regulatory body Emergency arrangements including exercise Burkart, Schrammel Wildermann Reporting results Compliance checking Actions in response to noncompliance Robbins Wildermann Inspection manual Types of inspections Examples Objectives, arrangements for inspection and inspectors right for entry Wildermann Group Work Presentation of results Cont. Highlights from Wednesday (2 participants) Hoffmann, Robbins Group Work Steps required for a specific inspection 2 participant presentations 2 participant presentations 7.00 p.m. Fare-well Party Burkart, Delattre, Robbins Feedback from every participant on key points they have learned and how they will use them. Course evaluation Course closure Delattre INES Delattre IRRT experiences Examples of inspections: United Kingdom [1 h] Robbins Delattre IAEA IRRT services to review regulatory activities Hoffmann Examples of inspections: Germany [1 h] REGIONAL TRAINING COURSE ON REGULATORY CONTROL OF NPPs, KARLSRUHE, GERMANY, 14–25 MAY 2001 Week 2 MONDAY, 21.05.01 TUESDAY, 22.05.01 WEDNESDAY, 23.05.01 THURSDAY, 24.05.01 FRIDAY, 25.05.01 Regulatory body Licensing of a NPP Inspection programmes and Inspection Activities Regulatory body Regulatory Documents types of inspections effectiveness and selfIAEA guidance Licensing documents and Investigations and assessment, IAEA practices their use, FSAR enforcement Slovak experience Delattre Robbins Hughes Robbins Lipar REFERENCES [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16] [17] [18] [19] [20] [21] INTERNATIONAL ATOMIC ENERGY AGENCY, IAEA Bulletin 40 2 (1998). INTERNATIONAL ATOMIC ENERGY AGENCY, Legal and Governmental Infrastructure for Nuclear, Radiation, Radioactive Waste and Transport Safety, Requirements, Safety Series No. GS-R-1, IAEA, Vienna (2000). INTERNATIONAL ATOMIC ENERGY AGENCY, Safety of Nuclear Power Plants: Design, Safety Series No. NS-R-1, IAEA, Vienna (2000). INTERNATIONAL ATOMIC ENERGY AGENCY, Safety of Nuclear Power Plants: Operation, Safety Series No. NS-R-2, IAEA, Vienna (2000). INTERNATIONAL ATOMIC ENERGY AGENCY, Code Safety of Nuclear Power Plants: Siting, Safety Series No. 50-C-S (Rev. 1), IAEA, Vienna (1998). INTERNATIONAL ATOMIC ENERGY AGENCY, Safety of Nuclear Power Plants: Quality Assurance, Safety Series No. 50-C-QA (Rev. 1), IAEA, Vienna (1988). INTERNATIONAL ATOMIC ENERGY AGENCY, Basic Safety Principles for Nuclear Power Plants, No. 75-INSAG-12, (Rev. 1), IAEA, Vienna (1999). INTERNATIONAL ATOMIC ENERGY AGENCY, The Safety of Nuclear Installations, Safety Series No. 110 (1993). INTERNATIONAL ATOMIC ENERGY AGENCY, Defence in Depth in Nuclear Safety, No. 75-INSAG-10, (1996). INTERNATIONAL ATOMIC ENERGY AGENCY, Safety Culture, No. 75-INSAG-4, (1991). INTERNATIONAL ATOMIC ENERGY AGENCY, Convention on Nuclear Safety, Legal Series No. 16, IAEA, Vienna (1994). INTERNATIONAL ATOMIC ENERGY AGENCY, Convention on Early Notification of a Nuclear Accident and Convention on Assistance in the Case of a Nuclear Accident or Radiological Emergency, Legal Series No. 14, IAEA, Vienna (1987). INTERNATIONAL ATOMIC ENERGY AGENCY, The Joint Convention on the Safety of Spent Fuel Management and on the Safety of Radioactive Waste Management, INFCIRC/546, IAEA. INTERNATIONAL ATOMIC ENERGY AGENCY, Joint Protocol Relating to the Application of the Vienna Convention and the Paris Convention, INFCIRC/402, IAEA. OECD Nuclear Energy Agency, Committee on Nuclear Regulatory Activities, Inspection Philosophy, Inspection Organizations and Inspection Practices, [OCDE/GD (97)140], OECD/NEA, Paris (1997). Radiation and Nuclear Safety Authority, Radiation and Nuclear Safety Authority as the Regulatory Authority for the Use of Nuclear Energy, Guide YVL 1.1 (1992). The Licensing and Supervisory Procedure for Nuclear Facilities in the Federal Republic of Germany, Gesellschaft fuer Anlagen und Reaktorsicherheit (GRS)mbH (1988). INTERNATIONAL ATOMIC ENERGY AGENCY, Guidelines for IAEA International Regulatory Review Teams (IRRTs), IAEA-TECDOC-703, Vienna (1993). ARO, I., Systematic Approach to Training, Experiences from the Training Activities of Regulatory Personnel in STUK, Radiation and Nuclear Safety Authority, STUK-BYTV173, STUK, Helsinki (1998). INTERNATIONAL ATOMIC ENERGY AGENCY, Training the Staff of the Regulatory Body for Nuclear Facilities: A Competency Framework, IAEA-TECDOC1254, IAEA, Vienna (2001). OECD Nuclear Energy Agency, Committee on Nuclear Regulatory Activities, Inspector Qualification Guidelines, [(NEA/CNRA(94)1], OECD NEA, Paris (1994). 351 [22] Libmann, J. Elements of Nuclear Safety, EDP, France (1996). [23] Radiation and Nuclear safety Authority, Repairs, Modifications and Preventive Maintenance at Nuclear Facilities, Guide YVL 1.8 (1992). [24] INTERNATIONAL ATOMIC ENERGY AGENCY, Periodic Safety Review of Operational Nuclear Power Plants, Safety Series No. 50-SG-012, IAEA, Vienna (1994). [25] INTERNATIONAL ATOMIC ENERGY AGENCY, Developing Safety Culture in Nuclear Activities — Practical Suggestions to Assist Progress, Safety Report No. 11 (1999). [26] INTERNATIONAL ATOMIC ENERGY AGENCY, Management of Operational Safety in Nuclear Power Plants, No. 75-INSAG-13, IAEA, Vienna (1999). [27] INTERNATIONAL ATOMIC ENERGY AGENCY, Intervention Criteria in a Nuclear or Radiation Emergency, Safety Series No. 109, Vienna (1994). [28] INTERNATIONAL ATOMIC ENERGY AGENCY, Method for the development of emergency response preparedness for nuclear or radiological accidents, IAEATECDOC-953, Vienna (1997). [29] INTERNATIONAL ATOMIC ENERGY AGENCY, Generic Assessment Procedures for Determining Protective Actions during a Reactor Accident, IAEA-TECDOC-955, Vienna (1997). [30] INTERNATIONAL ATOMIC ENERGY AGENCY, Training Manual for Reactor Accident Assessment and Response, Working Material, Vienna (1998). [31] International Commission on Radiological Protection, Protection of the Public in the Event of Major Radiation Accidents: Principles for Planning, Publication No. 40, Pergamon Press, Oxford and New York (1984). [32] International Commission on Radiological Protection, Principles for Intervention for Protection of the Public in a Radiological Emergency, Publication No. 63, Pergamon Press, Oxford and New York (1993). [33] FOOD AND AGRICULTURE ORGANIZATION OF THE UNITED NATIONS, INTERNATIONAL ATOMIC ENERGY AGENCY, INTERNATIONAL LABOUR ORGANISATION, OECD NUCLEAR ENERGY AGENCY, PAN AMERICAN HEALTH ORGANIZATION, WORLD HEALTH ORGANIZATION, International Basic Safety Standards for Protection against Ionising Radiation and for the Safety of Radiation Sources, Safety Series No. 115, IAEA, Vienna (1996). [34] Commission Regulation (EURATOM) No. 770/90 of 29 March 1990 laying down maximum permitted levels of radioactive contamination of feeding stuffs following a nuclear accident or any other case of radiological emergency. (Official Journal of the European Communities L-83 of 30/03/90). [35] National Radiological Protection Board (NRPB), Board Statement on Emergency Reference Levels. Documents of the NRPB, Vol. 1 No. 4, Chilton (1990). [36] INTERNATIONAL ATOMIC ENERGY AGENCY, Generic Procedures for Monitoring in a Nuclear or Radiological Emergency, IAEA-TECDOC-1092, IAEA, Vienna (1999). [37] INTERNATIONAL ATOMIC ENERGY AGENCY, Communications on Nuclear, Radiation, Transport and Waste Safety: A Practical Handbook, TECDOC-1076, IAEA, Vienna (1999). [38] INTERNATIONAL ATOMIC ENERGY AGENCY, Proceedings of a Workshop on Information to the Public, J. Laaksonen, K. Tossavainen, H. Hautakangas, O. Wiio (Finland) and G. Wuenche (Sweden), Helsinki, (1995). [39] INTERNATIONAL ATOMIC ENERGY AGENCY, INES Leaflet. 352 CONTRIBUTORS TO DRAFTING AND REVIEW ARO, I. International Atomic Energy Agency BURKART, K. Germany CRICK, M. International Atomic Energy Agency DAHLGREN, K. International Atomic Energy Agency FIEDLER-POEHLMANN, A. Germany GOETZ, C. Germany HALL, A. South Africa HOFFMANN, B. Germany KALINOWSKI, I. Germany KRIZ, Z. International Atomic Energy Agency LACEY, D. International Atomic Energy Agency LEDERMAN, L. International Atomic Energy Agency LEMOINE, P. International Atomic Energy Agency LIBMANN, J. France McKENNA, T. International Atomic Energy Agency PHILIP, G. International Atomic Energy Agency RANGUELOVA, V. International Atomic Energy Agency REIMAN, L. Finland REUHL, P. Germany RITTER, J. Germany ROBBINS, M. United Kingdom ROTH, E. Germany SCHATTKE, H. Germany STOIBER, C. United States of America ZUBER, J.F. Switzerland 353 TRAINING COURSE SERIES No. 15 Regulatory control of nuclear power plants Part B (Workbook) INTERNATIONAL ATOMIC ENERGY AGENCY, VIENNA, 2002 The originating Section of this publication in the IAEA was: Safety Co-ordination Section International Atomic Energy Agency Wagramer Strasse 5 P.O. Box 100 A-1400 Vienna, Austria REGULATORY CONTROL OF NUCLEAR POWER PLANTS PART B (WORKBOOK) IAEA, VIENNA, 2002 IAEA–TCS–15 ISSN 1018–5518 © IAEA, 2002 Printed by the IAEA in Austria September 2002 FOREWORD The purpose of this workbook and the corresponding textbook is to support IAEA training courses and workshops in the field of regulatory control of nuclear power plants as well as to support the regulatory bodies of Member States in their own training activities. The target group is the professional staff members of nuclear safety regulatory bodies supervising nuclear power plants and having duties and responsibilities in the regulatory fields. The workbook (Part B) contains learning objectives for each section of the textbook (Part A) and exercises for individual studies to help the reader to focus on the important topics and to control learning. The workbook also provides group tasks so that course participants can compare their practices and learn from each other. This is achieved in the most effective manner if participants first perform their individual exercises and then participate in the group activity. The workbook also encourages learners to use the Internet by referring to some regulatory bodies who display useful information on their home pages. The structure of the textbook and workbook makes it possible to develop remote learning arrangements either on individual bases or in the form of remote training courses organized and supported by the IAEA and/or volunteer organization that would be willing to provide training support. The IAEA officer responsible for the publication was I. Aro of the Department of Nuclear Safety. Ongoing responsibility lies with L. Lederman of the Division of Nuclear Installation Safety. EDITORIAL NOTE The use of particular designations of countries or territories does not imply any judgement by the publisher, the IAEA, as to the legal status of such countries or territories, of their authorities and institutions or of the delimitation of their boundaries. The mention of names of specific companies or products (whether or not indicated as registered) does not imply any intention to infringe proprietary rights, nor should it be construed as an endorsement or recommendation on the part of the IAEA. CONTENTS Introduction ................................................................................................................................ 1 Learning objectives for Section 1............................................................................................... 2 Learning objectives for Section 2............................................................................................... 3 Learning objectives for Section 3............................................................................................... 4 Learning objectives for Section 4............................................................................................... 5 Learning objectives for Section 5............................................................................................... 6 Learning objectives for Section 6............................................................................................... 7 Learning objectives for Section 7............................................................................................... 8 Learning objectives for Section 8............................................................................................... 9 Control questions to Section 1 ................................................................................................. 10 Control questions to Section 2 ................................................................................................. 27 Control questions to Section 3 ................................................................................................. 38 Control questions to Section 4 ................................................................................................. 50 Control questions to Section 5 ................................................................................................. 61 Control questions to Section 6 ................................................................................................. 66 Control questions to Section 7 ................................................................................................. 71 Control questions to Section 8 ................................................................................................. 75 INTRODUCTION The workbook contains learning objectives for each section to support the instructors and learners. The learning objectives suggest the following path to reach the learning objectives: a) to follow the lectures, b) to read the respective text part, c) to perform the exercises, d) to study the given IAEA references and e) to discuss with the tutor the application of the IAEA practices at the national level, after which the learner is able to reach the learning objectives. This implies much more than lectures during the training course. In fact, it is suggested that the participation in the IAEA training course is only one step on the learner’s way to comprehensive understanding of the subject matter: it is expected that the Member States organizations support the development of trainees with other activities such as on the job training e.g. on the basis of following workbook. For each section there are control questions aimed at assisting the learner to remember better the key issues of each respective section and to provide self-assessment of learning. In addition, this course material offers specific tasks to be carried out individually in order to encourage the learner to use Internet for finding useful information for comparison, to assist the learner to apply the knowledge and to study his/her own national arrangements and to compare them with international practices. The nomination of a personal tutor who would check the answers and provide further information if necessary is of advantage. For each section group activities are also proposed so that course participants from different horizons can compare their practices and learn from each other. 1 LEARNING OBJECTIVES FOR SECTION 1 Legislative and Regulatory Framework After following the lectures, studying the printed material, performing the exercises, studying the given IAEA references and after discussing with the tutor the application of the IAEA practices at the national level, the learner will be able to describe the following: • Fundamental international standards on nuclear safety i.e. IAEA Safety Standards and nuclear safety related conventions; • IAEA Requirements on governmental legislation and organization for nuclear safety; • Safety Fundamentals and basic features of safety criteria for nuclear power plants; • Convention on Nuclear Safety: technical obligations and implementation process; • Obligations of other safety related conventions; • Fundamentals of national regulatory framework; • Legal pyramid and the role of national regulatory guidance; • Some national good practices on legal and regulatory frameworks; • National legal and regulatory framework in the learner’s own country; • Comparison of the learner’s own country with international practices. FUNDAMENTAL REFERENCES (TO BE READ THOROUGHLY) 2 • INTERNATIONAL ATOMIC ENERGY AGENCY, Convention on Nuclear Safety, Legal Series No. 16 Vienna (1994). • INTERNATIONAL ATOMIC ENERGY AGENCY, The Safety of Nuclear Installations, Safety Series No. 110, Vienna (1993). • INTERNATIONAL ATOMIC ENERGY AGENCY, Legal and Governmental Infrastructure for Nuclear, Radiation, Radioactive Waste and Transport Safety, Safety Series No. GS-R-1, IAEA, Vienna (2000). LEARNING OBJECTIVES FOR SECTION 2 Regulatory Body After following the lectures, studying the printed material, performing the exercises, studying the given IAEA references and after discussing with the tutor the application of the IAEA practices at the national level, the learner will be able to describe the following: • IAEA guidance on regulatory organization and functions; • Some national good practices on regulatory organizations; • Licensing of a nuclear power plant; • Some national practices on licensing; • Quality assurance in the regulatory body; • Regulatory effectiveness and performance reviews; • Professionalism and training of the regulatory staff; • National regulatory practices in the learner’s own country; • Comparison of the learner’s own regulatory body with international practices. FUNDAMENTAL REFERENCES (TO BE READ THOROUGHLY) • INTERNATIONAL ATOMIC ENERGY AGENCY, Organization and Staffing of the Regulatory Body for Nuclear Facilities, Safety Series No. GS-G-1.1, IAEA, Vienna (2002). • OECD Nuclear Energy Agency, Committee on Nuclear Regulatory Activities, Inspection Philosophy, Inspection Organizations and Inspection Practices, Report OCDE/GD (97) 140, OECD/NEA, Paris (1997). • INTERNATIONAL ATOMIC ENERGY AGENCY, IAEA International Regulatory Review Teams (IRRT), IAEA-TECDOC-703, IAEA, Vienna (1993). 3 LEARNING OBJECTIVES FOR SECTION 3 Assessment of Safety After following the lectures, studying the printed material, performing the exercises, studying the given IAEA references and after discussing with the tutor the application of the IAEA practices at the national level, the learner will be able to describe the following: • IAEA guidance on regulatory review and assessment function; • IAEA guidance on review and assessment methodology; • Defence in depth concept; • Postulated initiating events; • Analysis of fault conditions; • Some national good practices on regulatory review and assessment; • Assessment of modifications; • Assessment of operational experience; • Periodic safety review; • National regulatory review and assessment practices in the learner’s own country; • Comparison of the learner’s review and assessment practices with international practices. FUNDAMENTAL REFERENCES (TO BE READ THOROUGHLY) • INTERNATIONAL ATOMIC ENERGY AGENCY, Review and Assessment of Nuclear Facilities by the Regulatory Body, Safety Guide GS-G-1.2, IAEA, Vienna (2002). • INTERNATIONAL ATOMIC ENERGY AGENCY, Defence in Depth in Nuclear Safety, Safety Series No. 75-INSAG-10, IAEA, Vienna (1996). • INTERNATIONAL ATOMIC ENERGY AGENCY, Code on the Safety of Nuclear Power Plants: Siting, Safety Series No. 50-C-S (Rev. 1), IAEA (1988). • INTERNATIONAL ATOMIC ENERGY AGENCY, Safety of Nuclear Power Plants: Design, Safety Series No. NS-R-1, IAEA, Vienna (2000). • INTERNATIONAL ATOMIC ENERGY AGENCY, Safety of Nuclear Power Plants: Operation, Safety Series No. NS-R-2, IAEA (2000). • INTERNATIONAL ATOMIC ENERGY AGENCY, Periodic Safety Review of Operational Nuclear Power Plants, Safety Series No. 50-SG-O12, IAEA (1994). 4 LEARNING OBJECTIVES FOR SECTION 4 Inspection and Enforcement by the Regulatory Body After following the lectures, studying the printed material, performing the exercises, studying the given IAEA references and after discussing with the tutor the application of the IAEA practices at the national level, the learner will be able to describe the following: • IAEA guidance on inspection and enforcement function; • IAEA guidance on inspection and enforcement methods; • Some national good practices on inspection and enforcement; • Typical inspection programmes and types of inspection; • Inspection planning, implementation and reporting; • Inspection of plant modifications; • Inspection of operational events; • National inspection and enforcement practices in the learner’s own country; • Comparison of the learner’s inspection and enforcement practices with international practices. FUNDAMENTAL REFERENCE (TO BE READ THOROUGHLY) • INTERNATIONAL ATOMIC ENERGY AGENCY, Regulatory Inspection of Nuclear Facilities and Enforcement by the Regulatory Body, Safety Series No. GS-G-1.3, IAEA, Vienna (2002). 5 LEARNING OBJECTIVES FOR SECTION 5 Documentation After following the lectures, studying the printed material, performing the exercises, studying the given IAEA references and after discussing with the tutor the application of the IAEA practices at the national level, the learner will be able to describe the following: • IAEA guidance on documentation used in regulatory activities; • Licensing documents needed by the regulatory body from the applicant; • Documents generated by the regulatory body within the licensing process of a NPP; • Reporting by the NPP organization to the regulatory body; • Some national good practices on regulatory documentation; • The content and use of safety analysis report; • Documents needed for plant modifications; • Updating of documentation; • National documentation practices in the learner’s own country; • Comparison of the learner’s documentation practices with international practices. FUNDAMENTAL REFERENCES (TO BE READ THOROUGHLY) • INTERNATIONAL ATOMIC ENERGY AGENCY, Documentation to be Produced or Required in Regulating Nuclear Facilities, Safety Standard Series GS-G-1.4, IAEA Vienna (2002). 6 LEARNING OBJECTIVES FOR SECTION 6 Developing Safety After following the lectures, studying the printed material, performing the exercises, studying the given IAEA references and after discussing with the tutor the application of the IAEA practices at the national level, the learner will be able to describe the following: • IAEA guidance on development of safety culture; • Stages of safety culture in an organization and its development; • Role of regulator in the development of safety; • Assessment of safety culture: detecting incipient weaknesses; • Some national good practices on safety development; • Risk informed and performance based regulation in the USA; • National safety development practices in the learner’s own country; • Comparison of the learner’s own country with international practices. FUNDAMENTAL REFERENCES (TO BE READ THOROUGHLY) • INTERNATIONAL ATOMIC ENERGY AGENCY, Safety Culture, Safety Series No. 75INSAG-4, IAEA, Vienna (1991). • INTERNATIONAL ATOMIC ENERGY AGENCY, Developing Safety Culture in Nuclear Activities, Safety Report No. 11, IAEA, Vienna (1999). • INTERNATIONAL ATOMIC ENERGY AGENCY, Management of Operational Safety in Nuclear Power Plants, Safety Series No. 75-INSAG-13, IAEA, Vienna (1999). 7 LEARNING OBJECTIVES FOR SECTION 7 Emergency Arrangements After following the lectures, studying the printed material, performing the exercises, studying the given IAEA references and after discussing with the tutor the application of the IAEA practices at the national level, the learner will be able to describe the following: • IAEA guidance on emergency response; • Warning emergency management authorities; • Assessment, monitoring and measurement; • Intervention; • Emergency plans, facilities and equipment; training; • Communication; • National emergency response practices in the learner’s own country; • Comparison of the learner’s own country with international practices. FUNDAMENTAL REFERENCES (TO BE READ THOROUGHLY) • INTERNATIONAL ATOMIC ENERGY AGENCY, Intervention Criteria in a Nuclear or Radiation Emergency, Safety Standards Series No. 109, Vienna (1994). • INTERNATIONAL ATOMIC ENERGY AGENCY, Method for the Development of Emergency Response Preparedness for Nuclear or Radiological Accidents, IAEATECDOC-953, Vienna (1997). • INTERNATIONAL ATOMIC ENERGY AGENCY, Generic Assessment Procedures for Determining Protective Actions during a Reactor Accident, IAEA-TECDOC-955, Vienna (1997). • INTERNATIONAL ATOMIC ENERGY AGENCY, Training Manual for Reactor Accident Assessment and Response, Working Material, Vienna (1998). 8 LEARNING OBJECTIVES FOR SECTION 8 Communication with the Public After following the lectures, studying the printed material, performing the exercises, studying the given IAEA references and after discussing with the tutor the application of the IAEA practices at the national level, the learner will be able to describe the following: • IAEA guidance on public communication; • INES scale; • Role of the regulatory body in public communication; • Public communication during normal operation; • Public communication during emergencies; • National practices in public communication in the learner’s own country; • Comparison of the learner’s own country with international practices. FUNDAMENTAL REFERENCES (TO BE READ THOROUGHLY) • INTERNATIONAL ATOMIC ENERGY AGENCY, Communications on Nuclear, Radiation, Transport and Waste Safety: A Practical Handbook, TECDOC-1076, Vienna (1999). • INTERNATIONAL ATOMIC ENERGY AGENCY, INES Leaflet. 9 CONTROL QUESTIONS TO SECTION 1 The objective of these questions is to assist the learner to remember better the key issues of Section 1 and to provide self-assessment of learning. Please write your answers on the empty spaces reserved for the purpose. If agreed your personal tutor can check your answers. The right answers are found from the respective parts of textbook handling the topic. If you do not know the answer read the text carefully again. 1. According to the IAEA Requirements, list 5 most important topics, arrangements or organizations which government must establish for ensuring nuclear safety. ___________________________________________________________________________ ___________________________________________________________________________ ___________________________________________________________________________ ___________________________________________________________________________ ___________________________________________________________________________ 2. What is said about the operators’ responsibility in the IAEA Requirements? ___________________________________________________________________________ ___________________________________________________________________________ ___________________________________________________________________________ ___________________________________________________________________________ 3. According to the IAEA Requirements, list 5 important governmental topics which shall appear in the legislation (other than mentioned in the answer to question 1). ___________________________________________________________________________ ___________________________________________________________________________ ___________________________________________________________________________ ___________________________________________________________________________ ___________________________________________________________________________ ___________________________________________________________________________ ___________________________________________________________________________ 10 4. List 5 international conventions that have something to do with nuclear safety. ___________________________________________________________________________ ___________________________________________________________________________ ___________________________________________________________________________ ___________________________________________________________________________ ___________________________________________________________________________ 5. Explain the role of international safety related conventions in the Member State. ___________________________________________________________________________ ___________________________________________________________________________ ___________________________________________________________________________ ___________________________________________________________________________ ___________________________________________________________________________ 6. Explain the implementation process related to the Convention on Nuclear Safety. ___________________________________________________________________________ ___________________________________________________________________________ ___________________________________________________________________________ ___________________________________________________________________________ ___________________________________________________________________________ 7. Explain a) the role of Member State in the IAEA Safety Standards’ development process and b) the role of IAEA Safety Standards in the Member State. ___________________________________________________________________________ ___________________________________________________________________________ ___________________________________________________________________________ ___________________________________________________________________________ 11 ___________________________________________________________________________ ___________________________________________________________________________ ___________________________________________________________________________ 8. Explain the hierarchy of IAEA Safety Standards and compare them against the member state rules and regulations. ___________________________________________________________________________ ___________________________________________________________________________ ___________________________________________________________________________ ___________________________________________________________________________ ___________________________________________________________________________ 9. What is the difference (status and content) between technical requirements presented in the Convention on Nuclear Safety and in the IAEA Safety Fundamentals. ___________________________________________________________________________ ___________________________________________________________________________ ___________________________________________________________________________ ___________________________________________________________________________ ___________________________________________________________________________ 10. List the 5 IAEA Requirements documents which have something to do with nuclear safety. ___________________________________________________________________________ ___________________________________________________________________________ ___________________________________________________________________________ ___________________________________________________________________________ ___________________________________________________________________________ ___________________________________________________________________________ 12 11. What are the 3 main safety objectives mentioned by the IAEA Safety Standards and what do they say (in your own words)? 1.__________________________________________________________________________ ___________________________________________________________________________ 2.__________________________________________________________________________ ___________________________________________________________________________ ___________________________________________________________________________ 3.__________________________________________________________________________ ___________________________________________________________________________ ___________________________________________________________________________ ___________________________________________________________________________ ___________________________________________________________________________ ___________________________________________________________________________ 12. List and explain 5 safety principles reflecting technical (design) aspects of safety, mentioned in the IAEA Safety Fundamentals (in your own words). 1.__________________________________________________________________________ ___________________________________________________________________________ 2.__________________________________________________________________________ ___________________________________________________________________________ 3.__________________________________________________________________________ ___________________________________________________________________________ 4.__________________________________________________________________________ ___________________________________________________________________________ 5.__________________________________________________________________________ ___________________________________________________________________________ 13 13. List and explain 3 safety principles reflecting “direct” operational safety aspects, mentioned in the IAEA Safety Fundamentals (in your own words). 1.____________________________________________________